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Preface 


This  book  presents  the  basic  paradigms  and  principles  of  modern  cryptogra- 
phy. It  is  designed  to  serve  as  a textbook  for  undergraduate-  or  graduate-level 
courses  in  cryptography  (in  computer  science  or  mathematics  departments), 
as  a general  introduction  suitable  for  self-study  (especially  for  beginning  grad- 
uate students),  and  as  a reference  for  students,  researchers,  and  practitioners. 

There  are  numerous  other  cryptography  textbooks  available  today,  and  the 
reader  may  rightly  ask  whether  another  book  on  the  subject  is  needed.  We 
would  not  have  written  this  book  if  the  answer  to  that  question  were  anything 
other  than  an  unequivocal  yes.  The  novelty  of  this  book  — and  what,  in  our 
opinion,  distinguishes  it  from  all  other  books  currently  available  — is  that  it 
provides  a rigorous  treatment  of  modern  cryptography  in  an  accessible  manner 
appropriate  for  an  introduction  to  the  topic. 

As  mentioned,  our  focus  is  on  modem  (post- 1980s)  cryptography,  which 
is  distinguished  from  classical  cryptography  by  its  emphasis  on  definitions, 
precise  assumptions,  and  rigorous  proofs  of  security..  We  briefly  discuss  each 
of  these  in  turn  (these  principles  are  explored  in  greater  detail  in  Chapter  1): 

• The  central  role  of  definitions:  A key  intellectual  contribution  of 
modern  cryptography  has  been  the  recognition  that  formal  definitions 
of  security  are  an  essential  first  step  in  the  design  of  any  cryptographic 
primitive  or  protocol.  The  reason,  in  retrospect,  is  simple:  if  you  don’t 
know  what  it  is  you  are  trying  to  achieve,  how  can  you  hope  to  know 
when  you  have  achieved  it?  As  we  will  see  in  this  book,  cryptographic 
definitions  of  security  are  quite  strong  and  — at  first  glance  — may 
appear  impossible  to  achieve.  One  of  the  most  amazing  aspects  of  cryp- 
tography is  that  (under  mild  and  widely- believed  assumptions)  efficient 
constructions  satisfying  such  strong  definitions  can  be  proven  to  exist. 

• The  importance  of  formal  and  precise  assumptions:  As  will  be 
explained  in  Chapters  2 and  3,  many  cryptographic  constructions  can- 
not currently  be  proven  secure  in  an  unconditional  sense.  Security  often 
relies,  instead,  on  some  widely-believed  (albeit  unproven)  assumption. 
The  modern  cryptographic  approach  dictates  that  any  such  assumption 
must  he  clearly  stated  and  unambiguously  defined.  This  not  only  al- 
lows for  objective  evaluation  of  the  assumption  but,  more  importantly, 
enables  rigorous  proofs  of  security  as  described  next. 

• The  possibility  of  rigorous  proofs  of  security:  The  previous  two 
ideas  lead  naturally  to  the  current  one,  which  is  the  realization  that  cryp- 
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tographic  constructions  can  be  proven  secure  with  respect  to  a clearly' 
stated  definition  of  security  and  relative  to  a well-defined  cryptograph^^ 
assumption.  This  is  the  essence  of  modern  cryptography,  and  what 
transformed  cryptography  from  an  art  to  a science. 

The  importance  of  this  idea  cannot  be  over-emphasized.  Historically’ 
cryptographic  schemes  were  designed  in  a largely  ad-hoc  fashion,  an^ 
were  deemed  to  be  secure  if  the  designers  themselves  could  not  fij^^ 
any  attacks.  In  contrast,  modern  cryptography  promotes  the  desiS^ 
of  schemes  with  formal,  mathematical  proofs  of  security  in  well-defin®^ 
models.  Such  schemes  are  guaranteed  to  be  secure  unless  the  under ly' 
ing  assumption  is  false  (or  the  security  definition  did  not  appropriately 
model  the  real-world  security  concerns).  By  relying  on  long-standir^S 
assumptions  (e.g.,  the  assumption  that  “factoring  is  hard”),  it  is  th^s 
possible  to  obtain  schemes  that  are  extremely  unlikely  to  be  broken- 

A unified  approach.  The  above  contributions  of  modern  cryptography  are 
relevant  not  only  to  the  “theory  of  cryptography”  community.  The  impo^' 
tance  of  precise  definitions  is,  by  now,  widely  understood  and  appreciated  by 
those  in  the  security  community  who  use  cryptographic  tools  to  build  secure 
systems,  and  rigorous  proofs  of  security  have  become  one  of  the  requirements 
for  cryptographic  schemes  to  be  standardized.  As  such,  we  do  not  separate 
“applied  cryptography”  from  “provable  security” ; rather,  we  present  practical 
and  widely- used  constructions  along  with  precise  statements  (and,  most  of  the 
time,  a proof)  of  what  definition  of  security  is  achieved. 

Guide  to  Using  this  Book 

This  section  is  intended  primarily  for  instructors  seeking  to  adopt  this  boeh 
for  their  course,  though  the  student  picking  up  this  book  on  his  or  her 
may  also  find  it  a useful  overview  of  the  topics  that  will  be  covered. 

Required  background.  This  book,  uses  definitions,  proofs,  and  mathernat' 
ical  concepts,  and  therefore  requires  some  mathematical  maturity.  In  pu^' 
ticular,  the  reader  is  assumed  to  have  had  some  exposure  to  proofs  at  the 
college  level,  say  in  an  upper-level  mathematics  course  or  a course  on  discrete 
mathematics,  algorithms,  or  computability  theory.  Having  said  this,  we  have 
made  a significant  effort  to  simplify’ the  presentation  and  make  it  generally 
accessible.  It  is  our  belief  that  this  book  is  not  more  difficult  than  analogons 
textbooks  that  are  less  rigorous.  On  the  contrary,  we  believe  that  (to  take 
example)  once  security  goals  are  clearly  formulated,  it  often  becomes  easier 
to  understand  the  design  choices  made  in  a particular  construction. 

We  have  structured  the  book  so  that  the  only  formal  prerequisites  are  ^ 
course  in  algorithms  and  a course  in  discrete  mathematics.  Even  here  we  rely 
on  very  little  material:  specifically,  we  assume  some  familiarity  with  basi<^ 
probability  and  hig-O  notation,  modular  arithmetic,  and  the  idea  of  equating 
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efficient  algorithms  with  those  running  in  polynomial  time.  These  concepts 
are  reviewed  in  Appendix  A and/or  when  first  used  in  the  book. 

Suggestions  for  course  organization.  The  core  material  of  this  book, 
which  we  strongly  recommend  should  be  covered  in  any  introductory  course 
on  cryptography,  consists  of  the  following  (starred  sections  are  excluded  in 
what  follows;  see  further  discussion  regarding  starred  material  below): 

• Chapters  1-4  (through  Section  4.6),  discussing  classical  cryptography, 
modern  cryptography,  and  the  basics  of  private-key  cryptography  (both 
private-key  encryption  and  message  authentication). 

• Chapter  5,  illustrating  basic  design  principles  for  block  ciphers  and  in- 
cluding material  on  the  widely- used  block  ciphers  DES  and  AES.^ 

• Chapter  7,  introducing  concrete  mathematical  problems  believed  to  be 
“hard” , and  providing  the  number-theoretic  background  needed  to  un- 
derstand the  RSA,  Diffie- Heilman,  and  El  Carnal  cryptosystems.  This 
chapter  also  gives  the  first  examples  of  how  number-theoretic  assump- 
tions are  used  in  cryptography. 

• Chapters  9 and  10,  motivating  the  public- key  setting  and  discussing 
public-key  encryption  (including  RSA-based  schemes  and  El  Carnal  en- 
cryption) . 

• Chapter  12,  describing  digital  signature  schemes. 

• Sections  13.1  and  13.3,  introducing  the  random  oracle  model  and  the 
RSA-FDH  signature  scheme. 

We  believe  that  this  core  material  — ■ possibly  omitting  some  of  the  more  in- 
depth  discussion  and  proofs  — can  be  covered  in  a 30-35-hour  undergraduate 
course.  Instructors  with  more  time  available  could  proceed  at  a more  leisurely 
pace,  e.g.,  giving  details  of  all  proofs  and  going  more  slowly  when  introducing 
the  underlying  group  theory  and  number-theoretic  background.  Alternatively, 
additional  topics  could  be  incorporated  as  discussed  next. 

Those  wishing  to  cover  additional  material,  in  either  a longer  course  or  a 
faster-paced  graduate  course,  will  find  that  the  book  has  been  structured  to 
allow  flexible  incorporation  of  other  topics  as  time  permits  (and  depending  on 
the  instructor’s  interests) . Specifically,  some  of  the  chapters  and  sections  are 
starred  (*).  These  sections  are  not  less  important  in  any  way,  but  arguably 
do  not  constitute  “core  material”  for  an  introductory  course  in  cryptography. 
As  made  evident  by  the  course  outline  just  given  (which  does  not  include  any 
starred  material),  starred  chapters  and  sections  may  be  skipped  — or  covered 
at  any  point  subsequent  to  their  appearance  in  the  book  — without  affecting 


^Although  we  consider  this  to  be  core  material,  it  is  not  used  in  the  remainder  of  the  book 
and  so  this  chapter  can  be  skipped  if  desired. 
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the  flow  of  the  course.  In  particular,  we  have  taken  care  to  ensure  that  none  of 
the  later  un-starred  material  depends  on  any  starred  material.  For  the  most 
part,  the  starred  chapters  also  do  not  depend  on  each  other  (and  when  they 
do,  this  dependence  is  explicitly  noted). 

We  suggest  the  following  from  among  the  starred  topics  for  those  wishing 
to  give  their  course  a particular  flavor; 

• Theory:  A more  theoretically-inclined  course  could  include  material 
from  Section  3.2.2  (building  to  a definition  of  semantic  security  for  en- 
cryption); Sections  4.8  and  4.9  (dealing  with  stronger  notions  of  secu- 
rity for  private-key  encryption);  Chapter  6 (introducing  one-way  func- 
tions and  hard-core  bits,  and  constructing  pseudorandom  generators 
and  pseudorandom  functions/permutations  starting  from  any  one-way 
permutation);  Section  10.7  (constructing  public- key  encryption  from 
trapdoor  permutations);  Chapter  11  (describing  the  Goldwasser-Micali, 
Rabin,  and  Paillier  encryption  schemes);  and  Section  12.6  (showing  a 
signature  scheme  that  does  not  rely  on  random  oracles) . 

• Applications:  An  instructor  wanting  to  emphasize  practical  aspects 
of  cryptography  is  highly  encouraged  to  cover  Section  4.7  (describing 
HMAC)  and  all  of  Chapter  13  (giving  cryptographic  constructions  in 
the  random  oracle  model). 

• Mathematics:  A course  directed  at  students  with  a strong  mathematics 
background  — or  taught  by  someone  who  enjoys  this  aspect  of  cryptog- 
raphy — could  incorporate  some  of  the  more  advanced  number  theory 
from  Chapter  7 (e.g.,  the  Chinese  remainder  theorem  and/or  elliptic- 
curve  groups);  all  of  Chapter  8 (algorithms  for  factoring  and  computing" 
discrete  logarithms);  and  selections  from  Chapter  11  (describing  the 
Goldwasser-Micali,  Rabin,  and  Paillier  encryption  schemes  along  with 
the  necessary  number-theoretic  background). 

Comments  and  Errata 

Our  goal  in  writing  this  book  was  to  make  modern  cryptography  accessible 
to  a wide  audience  outside  the  “theoretical  computer  science”  community.  We 
hope  you  will  let  us  know  whether  we  have  succeeded.  In  particular,  we  are 
always  more  than  happy  to  receive  feedback  on  this  book,  especially  construc- 
tive comments  telling  us  how  the  book  can  be  improved.  We  hope  there  are 
no  errors  or  typos  in  the  book;  if  you  do  find  any,  however,  we  would  greatly 
appreciate  it  if  you  let  us  know.  (A  list  of  known  errata  will  be  maintained 
at  http://www.cs.umd.edu/~jkatz/imc.html.)  You  can  email  your  com- 
ments and  errata  to  jkatz@cs.umd.edu  and  lindell@cs.biu.ac.il;  please 
put  “Introduction  to  Modern  Cryptography”  in  the  subject  line. 
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Chapter  1 


Introduction 


1.1  Cryptography  and  Modern  Cryptography 

The  Concise  Oxford  Dictionary  (2006)  defines  cryptography  as  the  art  of 
writing  or  solving  codes.  This  definition  may  be  historically  accurate,  but  it 
does  not  capture  the  essence  of  modern  cryptography.  First,  it  focuses  solely 
on  the  problem  of  secret  communication.  This  is  evidenced  by  the  fact  that 
the  definition  specifies  “codes” , elsewhere  defined  as  “a  system  of  pre-arranged 
signals,  especially  used  to  ensure  secrecy  in  transmitting  messages” . Second, 
the  definition  refers  to  cryptography  as  an  art  form.  Indeed,  until  the  20th 
century  (and  arguably  until  late  in  that  century),  cryptography  was  an  art. 
Constructing  good  codes,  or  breaking  existing  ones,  relied  on  creativity  and 
personal  skill.  There  was  very  little  theory  that  could  be  relied  upon  and 
there, was  not  even  a well-defined  notion  of  what  constitutes  a good  code. 

In  the  late  20th  century,  this  picture  of  cryptography  radically  changed.  A 
rich  theory  emerged,  enabling  the  rigorous  study  of  cryptography  as  a sci- 
ence. Furthermore,  the  field  of  cryptography  now  encompasses  .inueh  more 
than  secret  communication.  For  example,  it  deals  with  the  problems  of  mes- 
sage authentication,  digital  signatures,  protocols  for  exchanging  secret  keys, 
authentication  protocols,  electronic  auctions  and  elections,  digital  cash  and 
more.  In  fact,  modern  cryptography  can  be  said  to  be  concerned  with  prob- 
lems that  may  arise  in  any  distributed  computation  that  may  come  under 
internal  or  external  attack.  Without  attempting  to  provide  a perfect  defi- 
nition of  modern  cryptography,  we  would  say  that  it  is  the  scientific  study 
of  techniques  for  securing  digital  information,  transactions,  and  distributed 
computations. 

Another  very  important  difference  between  classical  cryptography  (say,  be- 
fore the  1980s)  and  modern  cryptography  relates  to  who  uses  it.  Historically, 
the  major  consumers  of  cryptography  were  military  and  intelligence  organi- 
zations. Today,  however,  cryptography  is  everywhere!  Security  mechanisms 
that  rely  on  cryptography  are  an  integral  part  of  almost  any  computer  sys- 
tem. Users  (often  unknowingly)  rely  on  cryptography  every  time  they  access 
a secured  website.  Cryptographic  methods  are  used  to  enforce  access  control 
in  multi-user  operating  systems,  and  to  prevent  thieves  from  extracting  trade 
secrets  from  stolen  laptops.  Software  protection  methods  employ  encryption, 
authentication,  and  other  tools  to  prevent  copying.  The  list  goes  on  and  on. 
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In  short,  cryptography  has  gone  from  an  art  form  that  dealt  with  secret 
communication  for  the  military  to  a science  that  helps  to  secure  systems  for 
ordinary  people  all  across  the  globe.  This  also  means  that  cryptography  is 
becoming  a more  and  more  central  topic  within  computer  science. 

The  focus  of  this  book  is  modem  cryptography.  Yet  we  will  begin  our 
study  by  examining  the  state  of  cryptography  before  the  changes  mentioned 
above.  Besides  allowing  us  to  ease  into  the  material,  it  will  also  provide  an 
understanding  of  where  cryptography  has  come  from  so  that  we  can  later 
appreciate  how  much  it  has  changed.  The  study  of  “classical  cryptography” 
— replete  with  ad-hoc  constructions  of  codes,  and  relatively  simple  ways  to 
break  them  — serves  as  good  motivation  for  the  more  rigorous  approach  that 
we  will  be  taking  in  the  rest  of  the  book.^ 


1.2  The  Setting  of  Private-Key  Encryption 

As  noted  above,  cryptography  was  historically  concerned  with  secret  com- 
munication. Specifically,  cryptography  was  concerned  with  the  construction 
of  ciphers  (now  called  encryption  schemes)  for  providing  secret  communica- 
tion between  two  parties  sharing  some  information  in  advance.  The  setting  in 
which  the  communicating  parties  share  some  secret  information  in  advance  is 
now  known  as  the  private-key  (or  the  symmetric-key)  setting.  Before  describ- 
ing some  historical  ciphers,  we  discuss  the  private-key  setting  and  encryption 
in  more  general  terms. 

In  the  private- key  setting,  two  parties  share  some  secret  information  called 
a A:ey,  and  use  this  key  when  they  wish  to  communicate  secretly  with  each 
other.  A party  sending  a message  uses  the  key  to  encrypt  (or  “scramble”)  the 
message  before  it  is  sent,  and  the -receiver  uses  the  same  key  to  decrypt  (or 
“unscramble”)  and  recover  the  message  upon  receipt.  The  message  itself  is 
called  the  plaintext,  and  the  “scrambled”  information  that  is  actually  trans- 
mitted from  the  sender  to  the  receiver  is  called  the  ciphertext',  see  Figure  1.1. 
The  shared  key  serves  to  distinguish  the  communicating  parties  from  any 
. other  parties  who  may  be  eavesdropping  on  their  communication  (assumed  to 
take  place  over  a public  channel). 

In  this  setting,  the  same  key  is  used  to  convert  the  plaintext  into  a ciphertext 
and  back.  This  explains  why  this  setting  is  also  known  as  the  symmetric^ key 
setting,  where  the  symmetry  lies  in  the  fact  that  both  parties  hold  the  same 
key  which  is  used  for  both  encryption  and  decryption.  This  is  in  contrast  to 


^This  is  our  primary  intent  in  presenting  this  material  and,  as  such,  this  chapter  should 
not  be  taken  as  a representative  historical  account.  The  reader  interested  in  the  history  of 
cryptography  should  consult  the  references  at  the  end  of  this  chapter. 
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FIGURE  1.1: 


The  basic  setting  of  private-key  encryption. 


the  setting  of  asymmetric  encryption  (introduced  in  Chapter  9),  where  the 
sender  and  receiver  do  not  share  any  secrets  and  different  keys  are  used  for 
encryption  and  decryption.  The  private-key  setting  is  the  classic  one,  as  we 
will  see  later  in  this  chapter. 

An  implicit  assumption  in  any  system  using  private-key  encryption  is  that 
the  communicating  parties  have  some  way  of  initially  sharing  a key  in  a secret 
manner.  (Note  that  if  one  party  simply  sends  the  key  to  the  other  over  the 
public  channel,  an  eavesdropper  obtains  the  key  too!)  In  military  settings,  this 
is  not  a severe  problem  because  communicating  parties  are  able  to  physically 
meet  in  a secure  location  in  order  to  agree  upon  a key.  In  many  modern 
settings,  however,  parties  cannot  arrange  any  such  physical  meeting.  As  we 
will  see  in  Chapter  9 , this  is  a source  of  great  concern  and  actually  limits  the 
applicability  of  cryptographic  systems  that  rely  solely  on  private-key  methods. 
Despite  this,  there  are  still  many  settings  where  private-key  methods  suffice 
and  are  in  wide  use;  one  example  is  disk  encryption,  where  the  same  user  (at 
different  points  in  tirne)  uses  a fixed  secret  key  to  both  write  to  and  read  from 
the  disk.  As  we  will  explore  further  in  Chapter  10,  private-key  encryption  is 
also  widely  used  in  conjunction  with  asymmetric  methods. 

The  syntax  of  encryption.  A private-key  encryption  scheme  is  comprised 
of  three  algorithms:  the  first  is  a procedure  for  generating  keys,  the  second 
a procedure  for  (encrypting,  and  the  third  a procedure  for  decrypting.  These 
have  the  following Tunctionality: 

1.  The  key -generation  algorithm  Gen  is  a probabilistic  algorithm  that  out- 
puts a key  k chosen  according  to  some  distribution  that  is  determined 
by  the  scheme. 
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2.  The  encryption  algorithm  Enc  takes  as  input  a key  k and  a plaintext 
message  m and  outputs  a ciphertext  c.  We  denote  by  Encfc(m)  the 
encryption  of  the  plaintext  m using  the  key  k. 

3.  The  decryption  algorithm  Dec  takes  as  input  a key  k and  a ciphertext  c 
and  outputs  a plaintext  m.  We  denote  the  decryption  of  the  ciphertext 
c using  the  key  k by  Decfc(c). 

The  set  of  all  possible  keys  output  by  the  key-generation  algorithm  is  called 
the  key  space  and  is  denoted  by  K..  Almost  always,  Gen  simply  chooses  a key 
uniformly  at  random  from  the  key  space  (in  fact,  one  can  assume  without 
loss  of  generality  that  this  is  the  case).  The  set  of  all  “legal”  messages  (i.e. , 
those  supported  by  the  encryption  algorithm)  is  denoted  Ai  and  is  called  the 
plaintext  (or  message)  space.  Since  any  ciphertext  is  obtained  by  encrypting 
some  plaintext  under  some  key,  the  sets  /C  and  A4  together  define  a set  of  all 
possible  ciphertexts  denoted  by  C.  An  encryption  scheme  is  fully  defined  by 
specifying  the  three  algorithms  (Gen,  Enc,  Dec)  and  the  plaintext  space  A4. 

The  basic  correctness  requirement  of  any  encryption  scheme  is  that  for  every 
key  k output  by  Gen  and  every  plaintext  message  m G Ad,  it  holds  that 

Decfc(Encfc(m))  = m. 

In  words,  decrypting  a ciphertext  (using  the  appropriate  key)  yields  the  orig- 
inal message  that  was  encrypted. 

Recapping  our  earlier  discussion,  an  encryption  scheme  would  be  used  by 
two  parties  who  wish  to  communicate  as  follows.  First,  Gen  is  run  to  obtain 
a key  k that  the  parties  share.  When  one  party  wants  to  send  a plaintext  m 
to  the  other,  he  computes  c :=  Ericfc(m)  and  sends  the  resulting  ciphertext  c 
over  the  public  channel  to  the  other,  party.^  Upon  receiving  c,  the  other  party 
computes  m :=  Decfc(c)  to  recover  the  original  plaintext. 

Keys  and  Kerckhoffs’  principle.  As  is  clear  from  the  above  formulation, 
if  an  eavesdropping  adversary  knows  the  algorithm  Dec  as  well  as  the  key  k 
shared  by  the  two  communicating  parties,  then  that  adversary  will  be  able  to 
decrypt  all  communication  between,  these  parties.  It  is  for  this  reason  that 
the  communicating  parties  must  share  , the  key  k secretly,  and  keep  k com- 
pletely secret  from  everyone  else.  But  maybe  they  should  keep  the  decryption 
algorithm  Dec  a secret,  too?  For  that  matter,  perhaps  all  the  algorithms 
constituting  the  encryption  scheme  (i.e.,  Gen  and  Enc  as  well)  should  be  kept 
secret?  (Note  that  the  plaintext  space  Ad  is  typically  assumed  to  be  kndwn, 
e.g.,  it  may  consist  of  English-language  sentences.) 

In  the  late  19th  century,  Auguste  Kerckhoffs  gave  his  opinion  on  this  matter 
in  a paper  he  published  outlining  important  design  principles  for  military 


^Throughout  the  book,  we  use  to  denote  the  assignment  operation.  A list  of  common 
notation  can  be  found  in  the  back  of  the  book. 
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ciphers.  One  of  the  most  important  of  these  principles  (now  known  simply  as 
Kerckhoffs’  principle)  is  the  following: 

The  cipher  method  must  not  he  required  to  he  secret,  and  it  must 
he  able  to  fall  into  the  hands__of  the  enemy  without  inconvenience. 

In  other  words,  the  encryption  scheme  itself  should  not  be  kept  secret,  and 
so  only  the  key  should  constitute  the  secret  information  shared  by  the  com- 
municating parties. 

Kerckhoffs’  intention  was  that  an  encryption  scheme  should  be  designed  so 
as  to  be  secure  even  if  an  adversary  knows  the  details  of  all  the  component 
algorithms  of  the  scheme,  as  long  as  the  adversary  doesn’t  know  the  key 
being  used.  Stated  differently,  Kerckhoffs’  principle  demands  that  security 
rely  solely  on  the  secrecy  of  the  key.  But  why? 

There  are  three  primary  arguments  in  favor  of  Kerckhoffs’  principle.  The 
first  is  that  it  is  much  easier  for  the  parties  to  maintain  secrecy  of  a short  key 
than  to  maintain  secrecy  of  an  algorithm.  It  is  easier  to  share  a short  (say, 
100-bit)  string  and  store  this  string  securely  than  it  is  to  share  and  securely 
store  a program  that  is  thousands  of  times  larger.  Furthermore,  details  of  an 
algorithm  can  be  leaked  (perhaps  by  an  insider)  or  learned  through  reverse 
engineering;  this  is  unlikely  when  the  secret  information  takes  the  form  of  a 
randomly-generated  string.  - 

A second  argument  in  favor  of  Kerckhoffs’  principle  is  that  in  case  the  key 
is  exposed,  it  will  be  much  easier  for  the  honest  parties  to  change  the  key  than 
to  replace  the  algorithm  being' u^ed.  Actually,  it  is  good  security  practice  to 
refresh  a key  frequently  even  when  it  has  not  been  exposed,  and  it  would  be 
much  more  cumbersome  to  replace  the  software  being  used  instead. 

Finally,  in  case  many  pairs  of  people  (say,  within  a company)  need  to  en- 
crypt their  communication,  it  will  be  significantly  easier  for  all  parties  to  use 
the  same  algor ithm/progr am,  but  different  keys,  than  for  everyone  to  use  a 
different  program  (which  would  furthermore  depend  on  the  party  with  whom 
they  are  communicating). 

Today,  Kerckhoffs’  principle  is  understood  as  not  only  advocating  that  secu- 
rity should  not  rely  on  Secrecy  of  the  algorithms  being  used,  but  also  demand- 
ing that  these  algorithms  be  made  public.  This  stands  in  stark  contrast  to  the 
notion  of  “security  by  obscurity”  which  is  the  idea  that  improved  security  can 
be  achieved  by  keeping  a cryptographic  algorithm  hidden.  Some  of  the  ad- 
vantages of  “open  cryptographic  design” , where  algorithm  specifications  are 
made  public,  include  the  following: 

1.  Published  designs  undergo  public  scrutiny  and  are  therefore  likely  to 
be  stronger.  Many  years  of  experience  have  demonstrated  that  it  is 
very  difficult  to  construct  good  cryptographic  schemes.  Therefore,  our 
confidence  in  the  security  of  a scheme  is  much  higher  if  it  has  been 
extensively  studied  (by  experts  other  than  the  designers  of  the  scheme 
themselves)  and  no  weaknesses  have  been  found. 
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2.  It  is  better  for  security  flaws,  if  they  exist,  to  be  revealed  by  “ethi- 
cal hackers”  (leading,  hopefully,  to  the  system  being  fixed)  rather  than 
having  these  flaws  be  known  only  to  malicious  parties. 

3.  If  the  security  of  the  system  relies  on  the  secrecy  of  the  algorithm,  then 
reverse  engineering  of  the  code  (or  leakage  by  industrial  espionage)  poses 
a serious  threat  to  security.  This  is  in  contrast  to  the  secret  key  which 
is  not  part  of  the  code,  and  so  is  not  vulnerable  to  reverse  engineering. 

4.  Public  design  enables  the  establishment  of  standards. 

As  simple  and  obvious  as  it  may  sound,  the  principle  of  open  cryptographic 
design  (i.e.,  Kerckhoffs’  principle)  is  ignored  over  and  over  again  with  dis- 
astrous results.  It  is  very  dangerous  to  use  a proprietary  algorithm  (i.e.,  a 
non-standardized  algorithm  that  was  designed  in  secret  by  some  company), 
and  only  publicly  tried  and  tested  algorithms  should  be  used.  Fortunately, 
there  are  enough  good  algorithms  that  are  standardized  and  not  patented,  so 
that  there  is  no  reason  whatsoever  today  to  use  something  else. 

Attack  scenarios.  We  wrap  up  our  general  discussion  of  encryption  with  a 
brief  discussion  of  some  basic  types  of  attacks  against  encryption  schemes.  In 
order  of  severity,  these  are: 

• Ciphertext-only  attack;  This  is  the  most  basic  type  of  attack  and  refers  to 
the  scenario  where  the  adversary  just  observes  a ciphertext  (or  multiple 
ciphertexts)  and  attempts  to  determine  the  underlying  plaintext  (or 
plaintexts). 

• Known-plaintext  attack:  Here,  the  adversary  learns  one  or  more  pairs 
of  plaintexts/ciphertexts  encrypted  under  the  same.  key.  The  aim  of 
the  adversary  is  then  to  determine  the  plaintext  that  was  encrypted  in 
some  other  ciphertext  (for  which  it  does  not  know  the  corresponding 
plaintext). 

• Chosen-plaintext  attack:  In  this  attack,  the  adversary  has  the  ability  to 
obtain  the  encryption  of  plaintexts  of  its  choice.  It  then  attempts  to 
determine  the  plaintext  that  was  encrypted  in  some  other  ciphertext. 

• Chosen- ciphertext  attack;  The  final  type  of  attack  is  one  where  the  adver- 
sary is  even  given  the  capability  to  obtain  the  decryption  of  ciphertexts 
of  its  choice.  The  adversary’s  aim,  once  again,  is  to  determine  the  plain- 
text that  was  encrypted  in  some  other  ciphertext  (whose  decryption  the 
adversary  is  unable  to  obtain  directly) . 

The  first  two  types  of  attacks  are  passive  in  that  the  adversary  just  receives 
some  ciphertexts  (and  possibly  some  corresponding  plaintexts  as  well)  and 
then  launches  its  attack.  In  contrast,  the  last  two  types  of  attacks  are  active 
in  that  the  adversary  can  adaptively  ask  for  encryptions  and/or  decryptions 
of  its  choice. 
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The  first  two  attacks  described  above  are  clearly  realistic.  A ciphertext-only 
attack  is  the  easiest  to  carry  out  in  practice;  the  only  thing  the  adversary  needs 
is  to  eavesdrop  on  the  public  communication  line  over  which  encrypted  mes- 
sages are  sent.  In  a known-plaintext  attack  it  is  assumed  that  the  adversary 
somehow  also  obtains  the  plaintext  messages  corresponding  to  the  ciphertexts 
that  it  viewed.  This  is  often  realistic  because  not  all  encrypted  messages  are 
confidential,  at  least  not  indefinitely.  As  a trivial  example,  two  parties  may 
always  encrypt  a “hello”  message  whenever  they  begin  communicating.  As 
a more  complex  example,  encryption  may  be  used  to  keep  quarterly  earn- 
ings results  secret  until  their  release  date.  In  this  case,  anyone  eavesdropping 
and  obtaining  the  ciphertext  will  later  obtain  the  corresponding  plaintext. 
Any  reasonable  encryption  scheme  must  therefore  remain  secure  against  an 
adversary  that  can  launch  a known-plaintext  attack. 

The  two  latter  active  attacks  may  seem  somewhat  strange  and  require  jus- 
tification. (When  do  parties  encrypt  and  decrypt  whatever  an  adversary 
wishes?)  We  defer  a more  detailed  discussion  of  these  attacks  to  the  place  in 
the  text  where  security  against  these  attacks  is  formally  defined:  Section  3.5 
for  chosen-plaintext  attacks  and  Section  3.7  for  chosen-ciphertext  attacks. 

Different  applications  of  encryption  may  require  the  encryption  scheme  to 
be  resilient  to  different  types  of  attacks.  It  is  not  always  the  case  that  an 
encryption  scheme  secure  against  the  “strongest”  type  of  attack  should  be 
used,  since  it  may  be  less  efficient  than  an  encryption  scheme  secure  against 
“weaker”  attacks.  Therefore,  the  latter  may  be  preferred  if  it  suffices  for  the 
application  at  hand.  , . „ 


1.3  Historical  Ciphers  and  Their  Cryptanalysis 

In  our  study  of  “classical  cryptography”  we  will  examine  some  historical  ci- 
phers and  show  that  they  are  completely  insecure.  As  stated  earlier,  our  main 
aims  in  presenting  this  material  are  (1)  to  highlight  the  weaknesses  of  an 
“ad-hoc”  approach  to  cryptography,  and  thus  motivate  the  modern,  rigorous 
approach  that  wilTbe  discussed  in  the  following  section,  and  (2)  to  demon- 
strate that  “simple  approaches”  to  achieving  secure  encryption  are  unlikely  to 
succeed,  and  show  why  this  is  the  case.  Along  the  way,  we  will  present  some 
central  principles  of  cryptography  which  can  be  learned  from  the  weaknesses 
of  these  historical  schemes. 

In  this  section  (and  this  section  only),  plaintext  characters  are  written  in 
lower  case  and  ciphertext  characters  are  written  in  UPPER  CASE.  When  de- 
scribing attacks  on  schemes,  we  always  apply  Kerckhoffs’  principle  and  assume 
that  the  scheme  is  known  to  the  adversary  (but  the  key  being  used  is  not). 
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Caesar’s  cipher.  One  of  the  oldest  recorded  ciphers,  known  as  Caesar’s 
cipher,  is  described  in  “De  Vita  Caesarum,  Divus  lulius”  ( “The  Lives  of  the 
Caesars,  The  Deified  Julius”),  written  in  approximately  110  C.E.: 

There  are  also  letters  of  his  to  Cicero,  as  well  as  to  his  intimates 
on  private  affairs,  and  in  the  latter,  if  he  had  anything  confidential 
to  say,  he  wrote  it  in  cipher,  that  is,  by  so  changing  the  order  of 
the  letters  of  the  alphabet,  that  not  a word  could  be  made  out.  If 
anyone  wishes  to  decipher  these,  and  get  at  their  meaning,  he  must 
substitute  the  fourth  letter  of  the  alphabet,  namely  D,  for  A,  and 
so  with  the  others. 

That  is,  Julius  Caesar  encrypted  by  rotating  the  letters  of  the  alphabet  by.  3 
places:  a was  replaced  with  D,  b with  E,  and  so  on.  Of  course,  at  the  end  of 
the  alphabet,  the  letters  wrap  around  and  so  x was  replaced  with  A,  y with  B, 
and  z with  C.  For  example,  the  short  message  begin  the  attack  now,  with 
spaces  removed,  would  be  encrypted  as: 

EHJLQWKHDWWDFNQRZ 


making  it  unintelligible. 

An  immediate  problem  with  this  cipher  is  that  the  method  is  fixed.  Thus, 
anyone  learning  how  Caesar  encrypted  his  messages  would  be  able  to  decrypt 
effortlessly.  This  can  be  seen  also  if  one  tries  to  fit  Caesar’s  cipher  into  the 
syntax  of  encryption  described  earlier:  the  key-generation  algorithm  Gen  is 
trivial  (that  is,  it  does  nothing)  and  there  is  no  secret  key  to  speak  of. 

Interestingly,  a variant  of  this  cipher  called  ROT- 13  (where  the  shift  is  13 
places  instead  of  3)  is  widely  used  nowadays  in  various  online  forums.  It  is 
understood  that  this  does  not  provide  any  cryptographic  security,  and  ROT- 
13  is  used  merely  to  ensure  that  the  text  (say,  a movie  spoiler)  is  unintelligible 
unless  the  reader  of  a message  consciously  chooses  to  decrypt  it. 

The  shift  cipher  and  the  sufficient  key  space  principle.  Caesar’s  cipher 
suffers  from  the  fact  that  encryption  is  always  done  in  the  same  way,  and  there 
is  no  secret  key.  The  shift  cipher  is  similar  to  Caesar’s  cipher,  but  a secret  key 
is  introduced.^  Specifically,  in  the  shift  cipher  the  key  /c  is  a number  between  0 
and  25.  Then,  to  encrypt,  letters  are  rotated  by  k places  as  in  Caesar’s  cipher. 
Mapping  this  to  the  syntax  of  encryption  described  earlier,  this  means  that 
algorithm  Gen  outputs  a random  number  k in  the  set  {0, . . . , 25};  algorithm 
Enc  takes  a key  k and  a plaintext  written  using  English  letters  and  shifts 
each  letter  of  the  plaintext  forward  k positions  (wrapping  around  from  z to 
a);  and  algorithm  Dec  takes  a key  k and  a ciphertext  written  using  English 
letters  and  shifts  every  letter  of  the  ciphertext  backward  k positions  (this  time 
wrapping  around  from  a to  z).  The  plaintext  message  space  Ad  is  defined  to  be 


^In  some  books,  “Caesar’s  cipher”  and  “shift  cipher”  are  used  interchangeably. 
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all  finite  strings  of  characters  from  the  English  alphabet  (note  that  numbers, 
punctuation,  or  other  characters  are  not  allowed  in  this  scheme). 

A more  mathematical  description  of  this  method  can  be  obtained  by  viewing 
the  alphabet  as  the  numbers  0,...,25  (rather  than  as  English  characters). 
First,  some  notation:  if  a is  an  integer  and  N is  an  integer  greater  than  1, 
we  define  [a  mod  N]  as  the  remainder  of  a upon  division  by  N.  Note  that 
[a  mod  A”]  is  an  integer  between  0 and  N — 1,  inclusive.  We  refer  to  the 
process  mapping  a to  [a  mod  N]  as  reduction  modulo  N;  we  will  have  much 
more  to  say  about  reduction  modulo  N beginning  in  Chapter  7. 

Using  this  notation,  encryption  of  a plaintext  character  with  the  key  k 
gives  the  ciphertext  character  [(m^+Zc)  mod  26],  and  decryption  of  a ciphertext 
character  q is  defined  by  [(c^  — /c)  mod  26].  In  this  view,  the  message  space  A4 
is  defined  to  be  any  finite  sequence  of  integers  that  lie  in  the  range  {0, . . . , 25}. 

Is  the  shift  cipher  secure?  Before  reading  on,  try  to  decrypt  the  following 
message  that  was  encrypted  using  the  shift  cipher  and  a secret  key  k (whose 
value  we  will  not  reveal) : 

OVDTHUFWVZZPISLRLFZHYLAOLYL. 

Is  it  possible  to  decrypt  this  message  without  knowing  k?  Actually,  it  is 
completely  trivial!  The  reason  is  that  there  are  only  26  possible  keys.  Thus, 
it  is  easy  to  try  every  key,  and  see  which  key  decrypts  the  ciphertext  into 
a plaintext  that  “makes  sense” . Such  an  attack  on  an  encryption  scheme  is 
called  a brute-force  attack  or  exhaustive  search.  Clearly,  any  secure  encryption 
scheme  must  not  be  vulnerable  to  such  a brute-force  attack;  otherwise,  it 
can  be  completely  broken,  irrespective  of  how  sophisticated  the  encryption 
algorithm  is.  This  brings  us  to  a trivial,  yet  important,  principle  called  the 
“sufficient  key  space  principle” : 

Any  secure  encryption  scheme  must  have  a key  space  that  is  not 
vulnerable  to  exhaustive  search.^ 

In  today’s  age,  an  exhaustive  search  may  use  very  powerful  computers,  or 
many  thousands  of  PC’s  that  are  distributed  around  the  world.  Thus,  the 
number  of  possible  keys  must  be  very  large  (at  least  2®°  or  2^°). 

We  emphasize  that  the  above  principle  gives  a necessary  condition  for  se- 
curity, not  a sufficient  one.  We  will  see  next  an  encryption  scheme  that  has 
a very  large  key  space  but  which  is  still  insecure. 

Mono-alphabetic  substitution.  The  shift  cipher  maps  each  plaintext  char- 
acter to  a different  ciphertext  character,  but  the  mapping  in  each  case  is  given 
by  the  same  shift  (the  value  of  which  is  determined  by  the  key).  The  idea 


^This  is  actually  only  true  if  the  message  space  is  larger  than  the  key  space  (see  Chapter  2 
for  an  example  where  security  is  achieved  using  a small  key  space  as  long  as  the  message 
space  is  even  smaller).  In  practice,  when  very  long  messages  are  typically  encrypted  with 
the  same  key,  the  key  space  must  not  be  vulnerable  to  exhaustive  search. 
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behind  mono-alphabetie  substitution  is  to  map  each  plaintext  character  to  a 
different  ciphertext  character  in  an  arbitrary  manner,  subject  only  to  the  fact 
that  the  mapping  must  be  one-to-one  in  order  to  enable  decryption.  The  key 
space  thus  consists  of  all  permutations  of  the  alphabet,  meaning  that  the  size 
of  the  key  space  is  26!  = 26  • 25  • 24  • • • 2 • 1 (or  approximately  2®®)  if  we  are 
working  with  the  English  alphabet.  As  an  example,  the  key.  . 

abcdefghij  klmnopqrstuvwxyz 
XEUADNBKVMROCQFSYHWGLZIJPT 


in  which  a maps  to  X,  etc.,  would  encrypt  the  message  tellhimaboutme  to 
GDOOKVCXEFLGCD.  A brute  force  attack  on  the  key  space  for  this  cipher  takes 
much  longer  than  a lifetime,  even  using  the  most  powerful  computer  known 
today.  However,  this  does  not  necessarily  mean  that  the  cipher  is  secure.  In 
fact,  as  we  will  show  now,  it  is  easy  to  break  this  scheme  even  though  it  has 
a very  large  key  space. 

Assume  that  English-language  text  is  being  encrypted  (i.e.,  the  text  is 
grammatically-correct  English  writing,  not  just  text  written  using  characters 
of  the  English  alphabet).  It  is  then  possible  to  attack  the  mono- alphabetic 
substitution  cipher  by  utilizing  statistical  patterns  of  the  English  language  (of 
course,  the  same  attack  works  for  any  language).  The  two  properties  of  this 
cipher  that  are  utilized  in  the  attack  are  as  follows: 

1.  In  this  cipher,  the  mapping  of  each  letter  is  fixed,  and  so  if  e is  mapped 
to  D,  then  every  appearance  of  e in  the  plaintext  will  result  in  the  ap- 
pearance of  D in  the  ciphertext. 

2.  The  probability  distribution  of  individual  letters  in  the  English  language 
(or  any  other)  is  known.  That  is,  the  average  frequency  counts  of  the  dif- 
ferent English  letters  are  quite  invariant  over  different  texts.  Of  oppose. 
the  longer  the  text,  the  closer  the  frequency  counts  will  be  to  the  av- 
erage. However,  even  relatively  short  texts  (consisting  of  only  tens  of 
words)  have  distributions  that  are  “close  enough”  to  the  average. 

The  attack  works  by  tabulating  the  probability  distribution  of  the  ciphertext 
and  then  comparing  it  to  the  known  probability  distribution  of  letters  in 
English  text  (see  Figure  1.2).  The  probability  distribution  being  tabulated 
in  the  attack  is  simply  the  frequency  count  of  each  letter  in  the  ciphertext 
(i.e.,  a table  saying  that  A appeared  4 times,  B appeared  11  times,  and  so  on). 
Then,  we  make  an  initial  guess  of  the  mapping  defined  by  the  key  based  on  the 
frequency  counts.  For  example,  since  e is  the  most  frequent  letter  in  English, 
we  will  guess  that  the  most  frequent  character  in  the  ciphertext  corresponds 
to  the  plaintext  character  e,  and  so  on.  Unless  the  ciphertext  is  quite  long, 
some  of  the  guesses  are  likely  to  be  wrong.  Even  for  quite  short  ciphertexts, 
however,  the  guesses  will  be  good  enough  to  enable  relatively  quick  decryption 
(especially  utilizing  other  knowledge  of  the  English  language,  such  as  the  fact 
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FIGURE  1.2:  Average  letter  frequencies  for  English-language  text. 


that  between  t and  e,  the  character  h is  likely  to  appear,  and  the  fact  that  u 
generally  follows  q). 

Actually,  it  should  not  be  very  surprising  that  the  mono- alphabetic  substi- 
tution cipher  can  be  quickly  broken,  since  puzzles  based  on  this  cipher  appear 
in  newspapers  (and  are  solved  by  some  people  before  their  morning  coffee)! 
We  recommend  that  you  try  to  decipher  the  following  message  — this  should 
help  convince  you  how  easy  the  attack  is  to  carry  out  (of  course,  you  should 
use  Figure  1.2  to  help  you): 

JGRMQOYGHMVBJWRWQFPWHGFFDQGFPFZRKBEEBJIZQQOCIBZKLFAFGQVFZFWWE 

OGWOPFGFHWOLPHLRLOLFDMFGQWBLWBWQOLKFWBYLBLYLFSFLJGRMQBOLWJVFP 

FWQVHQWFFPQOQVFPQOCFPOGFWFJIGFQVHLHLROQVFGWJVFPFOLFHGQVQVFILE 

OGQILHQFQGIQVVOSFAFGBWQVHQWIJVWJVFPFWHGFIWIHZZRQGBABHZQOCGFHX 

We  conclude  that,  although  the  mono-alphabetic  cipher  has  a very  large 
key  space,  it  is  still  completely  insecure. 

An  improved  attack  on  the  shift  cipher.  We  can  use  character  frequency 
tables  to  give  an  improved  attack  on  the  shift  cipher.  Specihcally,  our  previous 
attack  on  the  shift  cipher  required  us  to  decrypt  the  ciphertext  using  each 
possible  key,  and  then  check  to  see  which  key  results  in  a plaintext  that  “makes 
sense” . A drawback  of  this  approach  is  that  it  is  difficult  to  automate,  since  it 
is  difficult  for  a computer  to  check  whether  some  plaintext  “makes  sense”  . (We 
do  not  claim  this  is  impossible,  as  it  can  certainly  be  done  using  a dictionary 
of  valid  English  words.  We  only  claim  that  it  is  not  trivial.)  Moreover,  there 
may  be  cases  — we  will  see  one  below  — where  the  plaintext  characters  are 
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distributed  according  to  English-language  text  but  the  plaintext  itself  is  not 
valid  English  text,  making  the  problem  harder. 

As  before,  associate  the  letters  of  the  English  alphabet  with  the  numbers 
0, . . . , 25.  Let  Pi,  for  0 < z < 25,  denote  the  probability  of  the  zth  letter  in 
normal  English  text.  A simple  calculation  using  known  values  of  pi  gives 

25 

J2p1  -0065.  (1,1) 

i=0 

Now,  say  we  are  given  some  ciphertext  and  let  Qi  denote  the  probability  of  the 
zth  letter  in  this  ciphertext  {qi  is  simply  the  number  of  occurrences  of  the  zth 
letter  divided  by  the  length  of  the  ciphertext).  If  the  key  is  k,  then  we  expect 
that  Qi+k  should  be  roughly  equal  to  Pi  for  every  i.  (We  use  i + k instead  of 
the  more  cumbersome  [i  + k mod  26].)  Equivalently,  if  we  compute 

25 

r def 

Ij  — / ^ Pi  ■ Qi+j 

i=0 

for  each  value  oi  j G {0, . . . , 25},  then  we  expect  to  hnd  that  Ik  ~ 0.065  where 
k is  the  key  that  is  actually  being  used  (whereas  Ij  for  j ^ k is  expected  to 
be  different).  This  leads  to  a key-recovery  attack  that  is  easy  to  automate: 
compute  Ij  for  all  j,  and  then  output  the  value  k for  which  Ik  is  closest 
to  0.065. 

The  Vigenere  (poly-alphabetic  shift)  cipher.  As  we  have  described,  the 
statistical  attack  on  the  mono-alphabetic  substitution  cipher  could  be  carried 
out  because  the  mapping  of  each  letter  was  fixed.  Thus,  such  an  attack  can 
be  thwarted  by  mapping  different  instances  of  the  same  plaintext  character 
to  different  ciphertext  characters.  This  has  the  effect  of  “smoothing  out” 
the  probability  distribution  of  characters  in  the  ciphertext.  For  example, 
consider  the  case  that  e is  sometimes  mapped  to  G,  sometimes  to  P,  and 
sometimes  to  Y.  Then,  the  ciphertext  letters  G,  P,  and  Y will  most  likely  not 
stand  out  as  more  frequent,  because  other  less-frequent  characters  will  be  also 
be  mapped  to  them.  Thus,  counting  the  character  frequencies  will  not  offer 
much  information  about  the  mapping. 

The  Vigenere  cipher  works  by  applying  multiple  shift  ciphers  in  sequence. 
That  is,  a short,  secret  word  is  chosen  as  the  key,  and  then  the  plaintext  is 
encrypted  by  “adding”  each  plaintext  character  to  the  next  character  of  the 
key  (as  in  the  shift  cipher),  wrapping  around  in  the  key  when  necessary.  For 
example,  an  encryption  of  the  message  tellhimaboutme  using  the  key  cafe 
would  work  as  follows: 

Plaintext:  tellhimaboutme 

Key:  caf  ecaf  ecafeca 

Ciphertext:  WFRQKJSFEPAYPF 
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(The  key  need  not  be  an  actual  English  word.)  This  is  exactly  the  same  as 
encrypting  the  first,  fifth,  ninth,  and  so  on  characters  with  the  shift  cipher 
and  key  /c  = 3,  the  second,  sixth,  tenth,  and  so  on  characters  with  key  k = 1, 
the  third,  seventh,  and  so  on  characters  with  A:  = 6 and  the  fourth,  eighth, 
and  so  on  characters  with  k = 5.  Thus,  it  is  a repeated  shift  cipher  using 
different  keys.  Notice  that  in  the  above  example  1 is  mapped  once  to  R and 
once  to  Q.  Furthermore,  the  ciphertext  character  F is  sometimes  obtained  from 
e and  sometimes  from  a.  Thus,  the  character  frequencies  in  the  ciphertext 
are  “smoothed” , as  desired. 

If  the  key  is  a sufficiently- long  word  (chosen  at  random),  then  cracking  this 
cipher  seems  to  be  a daunting  task.  Indeed,  it  was  considered  by  many  to 
be  an  unbreakable  cipher,  and  although  it  was  invented  in  the  16th  century  a 
systematic  attack  on  the  scheme  was  only  devised  hundreds  of  years  later. 

Breaking  the  Vigenere  cipher.  A first  observation  in  attacking  the  Vi- 
genere  cipher  is  that  if  the  length  of  the  key  is  known,  then  the  task  is  relatively 
easy.  Specifically,  say  the  length  of  the  key  is  t (this  is  sometimes  called  the 
period).  Then  the  ciphertext  can  be  divided  into  t parts  where  each  part  can 
be  viewed  as  being  encrypted  using  a single  instance  of  the  shift  cipher.  That 
is,  let  k = ki, . . . , kt  be  the  key  (each  k{  is  a letter  of  the  alphabet)  and  let 
Ci,C2, . . . be  the  ciphertext  characters.  Then,  for  every  j (1  < j < t)  the  set 
of  characters 

were  ah  encrypted  by  a shift  cipher  using  key  kj . All  that  remains  is  therefore 
to  determine,  for  each  j,  which  of  the  26  possible  keys  is  the  correct  one.  This 
is  not  as  trivial  as  in  the  case  of  the  shift  cipher,  because  by  guessing  a single 
letter  of  the  key  it  is  no  longer  possible  to  determine  if  the  decryption  “makes 
sense” . Furthermore,  checking  for  all  values  of  j simultaneously  would  require 
a brute  force  search  through  26*  different  possible  keys  (which  is  infeasible  for 
t greater  than,  say,  15).  Nevertheless,  we  can  still  use  the  statistical  method 
described  earlier.  That  is,  for  every  set  of  ciphertext  characters  relating  to  a 
given  key  (that  is,  for  each  value  of  j),  it  is  possible  to  tabulate  the  frequency  of 
each  ciphertext  character  and  then  check  which  of  the  26  possible  shifts  yields 
the  “right”  probability  distribution.  Since  this  can  be  carried  out  separately 
for  each  key,  the  attack  can  be  carried  out  very  quickly;  all  that  is  required  is 
to  build  t frequency  tables  (one  for  each  of  the  subsets  of  the  characters)  and 
compare  them  to  the  real  probability  distribution. 

An  alternate,  somewhat  easier  approach,  is  to  use  the  improved  method  for 
attacking  the  shift  cipher  that  we  showed  earlier.  Recall  that  this  improved 
attack  does  not  rely  on  checking  for  a plaintext  that  “makes  sense” , but  only 
relies  on  the  underlying  probability  distribution  of  characters  in  the  plaintext. 

Either  of  the  above  approaches  give  successful  attacks  when  the  key  length 
is  known.  It  remains  to  show  how  to  determine  the  length  of  the  key. 

Kasiski’s  method,  published  in  the  mid- 19th  century,  gives  one  approach  for 
solving  this  problem.  The  first  step  is  to  identify  repeated  patterns  of  length  2 
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or  3 in  the  ciphertext . These  are  likely  to  be  due  to  certain  bigrams  or  trigrams 
that  appear  very  often  in  the  English  language.  For  example,  consider  the 
word  “the”  that  appears  very  often  in  English  text.  Clearly,  “the”  will  be 
mapped  to  different  ciphertext  characters,  depending  on  its  position  in  the 
text.  However,  if  it  appears  twice  in  the  same  relative  position,  then  it  will 
be  mapped  to  the  same  ciphertext  characters.  For  example,  if  it  appears  in 
positions  t + j and  2t  + i (where  i ^ j)  then  it  will  be  mapped  to  different 
characters  each  time.  However,  if  it  appears  in  positions  t+j  and  2t  + j,  then 
it  will  be  mapped  to  the  same  ciphertext  characters.  In  a long  enough  text, 
there  is  a good  chance  that  “the”  will  be  mapped  repeatedly  to  the  same 
ciphertext  characters. 

Consider  the  following  concrete  example  with  the  key  beads  (spaces  have 
been  added  for  clarity): 

Plaintext:  the  man  and  the  woman  retrieved  the  letter  from  the  post  office 

Key:  bea  dsb  ead  sbe  adsbe  adsbeadsb  ean  sdeads  bead  sbe  adsb  eadbea 

Ciphertext:  VMF  QTP  FOH  MJJ  XSFCS  SIMTNFZXF  YIS  EIYUIK  HWPQ  MJJ  QSLV  TGJKGF 


The  word  the  is  mapped  sometimes  to  VMF,  sometimes  to  MJJ  and  sometimes 
to  YIS.  However,  it  is  mapped  twice  to  MJJ,  and  in  a long  enough  text  it 
is  likely  that  it  would  be  mapped  multiple  times  to  each  of  the  possibilities. 
The  main  observation  of  Kasiski  is  that  the  distance  between  such  multiple 
appearances  (except  for  some  coincidental  ones)  is’ a multiple  of  the  period 
length.  (In  the  above  example,  the  period  length  is  5 and  the  distance  between 
the  two  appearances  of  MJJ  is  40,  which  is  8 times  the  period,  length.)  There- 
fore, the  greatest  common  divisor  of  all  the  distances  between  the  repeated 
sequences  should  yield  the  period  length  t or  a multiple  thereof. 

An  alternative  approach  called  the  index  of  coincidence  method,  \s  a bit 
more  algorithmic  and  hence  easier  to  automate.  Recall  that  if  the  key-length 
is  t,  then  the  ciphertext  characters  ’ 

C\+2t,  ■ ■ ■ 

are  encrypted  using  the  sarne  shift.  This  means  that  the  frequencies  of  the 
characters  in  this  sequence  are  expected  to  be  identical  to  the  character  fre- 
quencies of  standard  English  text  except  in  some  shifted  order.  In  more  detail: 
let  Qi  denote  the  frequency  of  the  zth  English  letter  in  the  sequence  above  (once 
again,  this  is  simply  the  number  of  occurrences  of  the  zth  letter  divided  by 
the  total  number  of  letters  in  the  sequence).  If  the  shift  used  here  is  k\  (this 
is  just  the  first  character  of  the  key),  then  we  expect  to  be  roughly 

equal  to  pi  for  all  z,  where  pi  is  again  the  frequency  of  the  zth  letter  in  stan- 
dard English  text.  But  this  means  that  the  sequence  po,  ■ ■ ■ ,P25  is  just  the 
sequence  Qo,  ■ ■ ■ ,Q25  shifted  by  k\  places.  As  a consequence,  we  expect  that 
(see  Equation  (1.1)): 

25  25 

= “0.065. 
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This  leads  to  a nice  way  to  determine  the  key  length  t.  For  r = 1,2, . . 
look  at  the  sequence  of  ciphertext  characters  ci,  Ci+r,  Cj+2t,  ■ ■ ■ and  tabulate 
go,  ■■■  1 125  for  this  sequence.  Then  compute 


i=0 


When  T = t we  expect  to  see  St  ~ 0.065  as  discussed  above.  On  the  other 
hand,  for  r ^ t we  expect  (roughly  speaking)  that  all  characters  will  occur 
with  roughly  equal  probability  in  the  sequence  Ci,Ci+r5 Ci+2r,  • • •,  and  so  we 
expect  Qi  ^ 1/26  for  all  i.  In  this  case  we  will  obtain 


^ ^ 1 

St  ~ — ~ 0.038  , 

^ 26 

i=0 

which  is  sufficiently  different  from  0.065  for  this  technique  to  work. 

Ciphertext  length  and  cryptanalytic  attacks.  The  above  attacks  on  the 
Vigenere  cipher  require  a longer  ciphertext  than  for  previous  schemes.  For 
example,  a large  ciphertext  is  needed  for  determining  the  period  if  Kasiski’s 
method  is  used.  Furthermore,  statistics  are  needed  for  t different  parts  of 
the  ciphertext,  and  the  frequency  table  of  a message  converges  to  the  average 
as  its  length  grows  (and  so  the  ciphertext  needs  to  be  approximately  t times 
longer  than  in  the  case  of  the  mono-alphabetic  substitution  cipher).  Simi- 
larly, the  attack  that  we  showed  for  the  mono-alphabetic  substitution  cipher 
requires  a longer  ciphertext  than  for  the  attacks  on  the- shift- cipher  (which 
can  work  for  messages  consisting  of  just  a single  word).  This  phenomenoii  is 
not  coincidental,  and  relates  to  the  size  of  the  key  space  for  each  encryption 
scheme. 

Ciphertext-oniy  vs.  known-plaintext  attacks.  The  attacks  described 
above  are  all  ciphertext-only  attacks  (recall  that  this  is  the  easiest  type  of 
attack  to  carry  out  in  practice).  All  the  above  ciphers  are  trivially  broken 
if  the  adversary  is  able  to  carry  out  a known-plaintext  attack;  we  leave  a 
demonstration  of  this  as  an  exercise. 


Conclusions  and  discussion.  We  have  presented  only  a few  historical  ci- 
phers. Beyond  their  general  historical  interest,  our  aim  in  presenting  them  was 
to  illustrate  some  important  lessons  regarding  cryptographic  design.  Stated 
briefly,  these  lessons  are: 

1.  Sufficient  key  space  principle:  Assuming  sufficiently- long  messages  are 
being  encrypted,  a secure  encryption  scheme  must  have  a key  space 
that  cannot  be  searched  exhaustively  in  a reasonable  amount  of  time. 
However,  a large  key  space  does  not  by  itself  imply  security  (e.g.,  the 
mono-alphabetic  substitution  cipher  has  a large  key  space  but  is  trivial 
to  break).  Thus,  a large  key  space  is  a necessary  requirement,  but  not 
a sufficient  one. 
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2.  Designing  secure  ciphers  is  a hard  task:  The  Vigenere  cipher  remained 
unbroken  for  a long  time,  partially  due  to  its  presumed  complexity.  Far 
more  complex  schemes  have  also  been  used,  such  as  the  German  Enigma. 
Nevertheless,  this  complexity  does  not  imply  security  and  all  historical 
ciphers  can  be  completely  broken.  In  general,  it  is  very  hard  to  design 
a secure  encryption  scheme,  and  such  design  should  be  left  to  experts. 

The  history  of  classical  encryption  schemes  is  fascinating,  both  with  respect  to 
the  methods  used  as  well  as  the  influence  of  cryptography  and  cryptanalysis 
on  world  history  (in  World  War  II,  for  example).  Here,  we  have  only  tried  to 
give  a taste  of  some  of  the  more  basic  methods,  with  a focus  on  what  modern 
cryptography  can  learn  from  these  attempts. 


1.4  The  Basic  Principles  of  Modern  Cryptography 

The  previous  section  has  given  a taste  of  historical  cryptography.  It  is  fair 
to  say  that,  historically,  cryptography  was  more  of  an  art  than  any  sort  of 
science:  schemes  were  designed  in  an  ad-hoc  manner  and  then  evaluated  based 
on  their  perceived  complexity  or  cleverness.  Unfortunately,  as  we  have  seen, 
all  such  schemes  (no  matter  how  clever)  were  eventually  broken. 

Modern  cryptography,  now  resting  on  firmer  and  more  scientific  founda- 
tions, gives  hope  of  breaking  out  of  the  endless  cycle  of  constructing  schemes 
and  watching  them  get  broken.  In  this  section  we  outline  the  main  principles 
and  paradigms  that  distinguish  modern  cryptography  from  classical  cryptog- 
raphy. We  identify  three  main  principles: 

1 . Principle  1 — the  first  step  in  solving  any  cryptographic  problem  is  the 
formulation  of  a rigorous  and  precise  definition  of  security 

2.  Principle  2 — when  the  security  of  a cryptographic  construction  relies 
on  an  unproven  assumption,,  this  assumption  must  be  precisely  stated. 
Furthermore,  the  assumption  should  be  as  minimal  as  possible. 

3.  Principle  3 — cryptographic  constructions  should  be  accompanied  by  a 
rigorous  proof  of  security  with  respect  to  a definition  formulated  accord- 
ing to  principle  1 , and  relative  to  an  assumption  stated  as  in  principle  2 
(if  an  assumption  is  needed  at  all). 

We  now  discuss  each  of  these  principles  in  greater  depth. 

1.4.1  Principle  1 — Formulation  of  Exact  Definitions 

One  of  the  key  intellectual  contributions  of  modern  cryptography  has  been 
the  realization  that  formal  definitions  of  security  are  essential  prerequisites 
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for  the  design,  usage,  or  study  of  any  cryptographic  primitive  or  protocol.  Let 
us  explain  each  of  these  in  turn: 

1.  Importance  for  design:  Say  we  are  interested  in  constructing  a secure 
encryption  scheme.  If  we  do  not  have  a firm  understanding  of  what  it 
is  we  want  to.  achieve,  how  can  we  possibly  know  whether  (or  when) 
we  have  achieved  it?  Having  an  exact  definition  in  mind  enables  us  to 
better  direct  our  design  efforts,  as  well  as  to  evaluate  the  quality  of  what 
we  build,  thereby  improving  the  end  construction.  In  particular,  it  is 
much  better  to  define  what  is  needed  first  and  then  begin  the  design 
phase,  rather  than  to  come  up  with  a post  facto  definition  of  what  has 
been  achieved  once  the  design  is  complete.  The  latter  approach  risks 
having  the  design  phase  end  when  the  designers’  patience  is  tried  (rather 
than  when  the  goal  has  been  met),  or  may  result  in  a construction  that 
achieves  more  than  is  needed  and  is  thus  less  efficient  than  a better 
solution. 

2.  Importance  for  usage:  Say  we  want  to  use  an  encryption  scheme  within 
some  larger  system.  How  do  we  know  which  encryption  scheme  to  use?  If 
presented  with  a candidate  encryption  scheme,  how  can  we  tell  whether 
it  suffices  for  our  application?  Having  a precise  definition  of  the  security 
achieved  by  a given  scheme  (coupled  with  a security  proof  relative  to  a 
formally-stated  assumption  as  discussed  in  principles  2 and  3)  allows  us 
to  answer  these  questions.  Specifically,  we  can  define  the  security  that 
we  desire  in  our  system  (see  point  1,  above),  arid  "then  verify  whether 
the  definition  satisfied  by  a given  encryption  scheme  suffices  for  our 
purposes.  Alternatively,  we  can  specify  the  defiriition  that  we  need  the 
encryption  scheme  to  satisfy,  and  look  for  an  encryption  scheme  satis- 
fying this  definition.  Note  that  it  may  not  be  "vrise  to  choose  the  “most 
secure”  scheme,  since  a weaker  notion  of  security  may  suffice  for  our 
application  and  we  may  then  be  able  to  use  a more  efficient  scheme. 

3.  Importance  for  study:  Given  two  encryption  schemes,  how  can  we  com- 
pare them?  Without  any  definition  of  security,  the  only  point  of  com- 
parison is  efficiency,  but  efficiency  alone  is  a poor  criterion  since  a highly 
efficient  scheme  that  is  completely  insecure  is  of  no  use.  Precise  specifi- 
cation of  the  level  of  security  achieved  by  a scheme  offers  another  point 
of  comparison.  If  two  schemes  are  equally  efficient  but  the  first  one 
satisfies  a stronger  definition  of  security  than  the  second,  then  the  first 
is  preferable.®  There  may  also  be  a trade-off  between  security  and  effi- 
ciency (see  the  previous  two  points),  but  at  least  with  precise  definitions 
we  can  understand  what  this  trade-off  entails. 


®Of  course,  things  are  rarely  this  simple. 
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Of  course,  precise  definitions  also  enable  rigorous  proofs  (as  we  will  discuss 
when  we  come  to  principle  3),  but  the  above  reasons  stand  irrespective  of  this. 

It  is  a mistake  to  think  that  formal  definitions  are  not  needed  since  “we 
have  an  intuitive  idea  of  what  security  means” . For  starters,  different  people 
have  different  intuition  regarding  what  is  considered  secure.  Even  one  person 
might  have  multiple  intuitive  ideas  of  what  security  means,  depending  on  the 
context.  For  example,  in  Chapter  3 we  will  study  four  different  definitions 
of  security  for  private-key  encryption,  each  of  which  is  useful  in  a different 
scenario.  In  any  case,  a formal  definition  is  necessary  for  communicating  your 
“intuitive  idea”  to  someone  else. 

An  example:  secure  encryption.  It  is  also  a mistake  to  think  that  formal- 
izing definitions  is  trivial.  For  example,  how  would  you  formalize  the  desired 
notion  of  security  for  private-key  encryption?  (The  reader  may  want  to  pause 
to  think  about  this  before  reading  on.)  We  have  asked  students  many  times 
how  secure  encryption  should  be  defined,  and  have  received  the  following  an- 
swers (often  in  the  following  order): 

1.  Answer  1 — an  encryption  scheme  is  secure  if  no  adversary  can  find 
the  secret  key  when  given  a ciphertext.  Such  a definition  of  encryption 
completely  misses  the  point.  The  aim  of  encryption  is  to  protect  the 
message  being  encrypted  and  the  secret  key  is  just  the  means  of  achiev- 
ing this.  To  take  this  to  an  absurd  level,  consider  an  encryption  scheme 
that  ignores  the  secret  key  and  just  outputs  the  plaintext.  Clearly,  no 
adversary  can  find  the  secret  key.  However,  it  is  also  clear  that  no 
secrecy  whatsoever  is  provided.® 

2.  Answer  2 — an  encryption  scheme  is  secure  if  no  adversary  can  find 
the  plaintext  that  corresponds  to  the  ciphertext.  This  definition  already 
looks  better  and  can  even  be  found  in  some  texts  on  cryptography. 
However,  after  some  more  thought,  it  is  also  far  from  satisfactory.  For 
example,  an  encryption  scheme  that  reveals  90%  of  the  plaintext  would 
still  be  considered  secure  under  this  definition,  as  long  as  it  is  hard 
to  find  the  remaining  10%.  But  this  is  clearly  unacceptable  in  most 
common  applications  of  encryption.  For  example,  employment  contracts 
are  mostly  standard  text,  and  only  the  salary  might  need  to  be  kept 
secret;  if  the  salary  is  in  the  90%  of  the  plaintext  that  is  revealed  then 
nothing  is  gained  by  encrypting. 

If  you  find  the  above  counterexample  silly,  refer  again  to  footnote  6. 
The  point  once  again  is  that  if  the  definition  as  stated  isn’t  what  was 
meant,  then  a scheme  could  be  proven  secure  without  actually  providing 
the  necessary  level  of  protection.  (This  is  a good  example  of  why  exact 
definitions  are  important.) 


®And  lest  you  respond:  “But  that’s  not  what  I meant!”,  well,  that’s  exactly  the  point:  it  is 
often  not  so  trivial  to  formalize  what  one  means. 
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3.  Answer  3 — an  encryption  scheme  is  secure  if  no  adversary  can  deter- 
mine any  character  of  the  plaintext  that  corresponds  to  the  ciphertext. 
This  already  looks  like  an  excellent  definition.  However,  other  subtleties 
can  arise.  Going  back  to  the  example  of  the  employment  contract,  it  may 
be  impossible  to  determine  the  actual  salary  or  even  any  digit  thereof. 
However,  should  the  encryption  scheme  be  considered  secure  if  it  leaks 
whether  the  encrypted  salary  is  greater  than  or  less  than  $100,000  per 
year?  Clearly  not.  This  leads  us  to  the  next  suggestion. 

4.  Answer  f — an  encryption  scheme  is  secure  if  no  adversary  can  de- 
rive any  meaningful  information  about  the  plaintext  from  the  ciphertext. 
This  is  already  close  to  the  actual  definition.  However,  it  is  lacking 
in  one  respect:  it  does  not  define  what  it  means  for  information  to  be 
“meaningful”.  Different  information  may  be  meaningful  in  different  ap- 
plications. This  leads  to  a very  important  principle  regarding  definitions 
of  security  for  cryptographic  primitives:  definitions  of  security  should 
suffice  for  all  potential  applications.  This  is  essential  because  one  can 
never  know  what  applications  may  arise  in  the  future.  Furthermore,  im- 
plementations typically  become  part  of  general  cryptographic  libraries 
which  are  then  used  in  may  different  contexts  and  for  many  different 
applications.  Security  should  ideally  be  guaranteed  for  all  possible  uses. 

5.  The  final  answer  — an  encryption  scheme  is  secure  if  no  adversary  can 
compute  any  function  of  the  plaintext  from  the  ciphertext.  This  provides 
a very  strong  guarantee  and,  when  formulated  properly,  is  considered 
today  to  be  the  “right”  definition  of  security  for  encryption.  Even  here, 
there  are  questions  regarding  the  attack  model  that  should  be  consid- 
ered, and  how  this  aspect  of  security  should  be  defined. 

Even  though  we  have  now  hit  upon  the  correct  requirement  for  secure  encryp- 
tion, conceptually  speaking,  it  remains  to  state  this  requirement  mathemat- 
ically and  formally,  and  this  is  in  itself  a non-trivial  task  (one  that  we  will 
address  in  detail  in  Chapters  2 and  3). 

As  noted  in  the  “final  answer” , above,  our  formal  definition  must  also  spec- 
ify the  attack  model:  i.e.,  whether  we  assume  a ciphertext-only  attack  or  a 
chosen- plaintext  attack.  This  illustrates  a general  principle  used  when  formu- 
lating cryptographic  definitions.  Specifically,  in  order  to  fully  define  security 
of  some  cryptographic  task,  there  are  two  distinct  issues  that  must  be  ex- 
plicitly addressed.  The  first  is  what  is  considered  to  be  a break,  and  the 
second  is  what  is  assumed  regarding  the  power  of  the  adversary.  The  break 
is  exactly  whaf-'we  have  discussed  above;  i.e.,  an  encryption  scheme  is  con- 
sidered broken  if  an  adversary  learns  some  function  of  the  plaintext  from  a 
ciphertext.  The  power  of  the  adversary  relates  to  assumptions  regarding  the 
actions  the  adversary  is  assumed  to  be  able  to  take,  as  well  as  the  adversary’s 
computational  power.  The  former  refers  to  considerations  such  as  whether 
the  adversary  is  assumed  only  to  be  able  to  eavesdrop  on  encrypted  messages 
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(i.e.,  a ciphertext-only  attack),  or  whether  we  assume  that  the  adversary  can 
also  actively  request  encryptions  of  any  plaintext  that  it  likes  (i.e.,  carry  out 
a chosen- plaintext  attack).  A second  issue  that  must  be  considered  is  the 
computational  power  of  the  adversary.  For  all  of  this  book,  except  Chapter  2, 
we  will  want  to  ensure  security  against  any  efficient  adversary,  by  which  we 
mean  any  adversary  running  in  polynomial  time.  (A.  full  discussion  of  this 
point  appears  in  Section  3.1.2.  For  now,  it  suffices  to  say  that  an  “efficient” 
strategy  is  one  that  can  be  carried  out  in  a lifetime.  Thus  “feasible”  is  ar- 
guably a more  accurate  term.)  When  translating  this  into  concrete  terms,  we 
might  require  security  against  any  adversary  utilizing  decades  of  computing 
time  on  a supercomputer. 

In  summary,  any  definition  of  security  will  take  the  following  general  form; 

A cryptographic  scheme  for  a given  task  is  secure  if  ng  adversary 

of  a specified  power  can  achieve  a specified  break.  ^ 

We  stress  that  the  definition  never  assumes  anything  about  the  adversary’s 
strategy.  This  is  an  important  distinction:  we  are  willing  to  assume  something 
about  the  adversary’s  capabilities  (e.g.,  that  it  is  able  to  mount  a chosen- 
plaintext  attack  but  not  a chosen-ciphertext  attack),  but  we  are  not  willing 
to  assume  anything  about  how  it  uses  its  abilities.  We  call  this  the  “arbitrary 
adversary  -principle” : security  must  be  guaranteed  for  any  adversary  within 
the  class  of  adversaries  having  the  specified  power;  This  principle  is  impor- 
tant because  it  is  impossible  to  foresee  what  strategies  might  be  used  in  an 
adversarial  attack  (and  history  has  proven  that  attempts  to  do  so  are  doomed 
to  failure). 

Mathematics  and  the  real  world.  A definition  of  security  essentially  pro- 
vides a mathematical  formulation  of  a real-world  problem.  If  the  mathemati- 
cal definition  does  not  appropriately  model  the  real  world,  then  the  definition 
may  be  useless.  For  example,  if  the  adversarial  -power  under  consideration 
is  too  weak  (and,  in  practice,  adversaries  have  more  power),  or  the  break  is 
such  that  it  allows  real  attacks  that  were  not  foreseen  (like  one  of  the  early 
answers  regarding  encryption),  then  “real  security”  is  not  obtained,  even  if 
a “mathematically- secure”  construction  is  used.  In  short,  a definition  of  se- 
curity must  accurately  model  the  real  world  in  order  for  it  to  deliver  on  its 
mathematical  promise  of  security. 

It  is  quite  common,  in  fact,  for  a widely-accepted  definition  to  be  ill-suited 
for  some  new  application.  As  one  notable  example,  there  are  encryption 
schemes  that  were  proven  secure  (relative  to  some  definition  like  the  ones  we 
have  discussed  above)  and  then  implemented  on  smart-cards.  Due  to  physical 
properties  of  the  smart-cards,  it  was  possible  for  an  adversary  to  monitor 
the  power  usage  of  the  smart-card  (e.g.,  how  this  power  usage  fluctuated 
over  time)  as  the  encryption  scheme  was  being  run,  and  it  turned  out  that 
this  information  could  be  used  to  determine  the  key.  There  was  nothing 
wrong  with  the  security  definition  or  the  proof  that  the  scheme  satisfied  this 
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definition;  the  problem  was  simply  that  there  was  a mismatch  between  the 
definition  and  the  real-world  implementation  of  the  scheme  on  a smart-card. 

This  should  not  be  taken  to  mean  that  definitions  (or  proofs,  for  that  mat- 
ter) are  useless!  The  definition  — and  the  scheme  that  satisfies  it  — may  still 
be  appropriate  for  other  settings,  such  as  when  encryption  is  performed  on 
an  end-host  whose  power  usage  cannot  be  monitored  by  an  adversary.  Fur- 
thermore, one  way  to  achieve  secure  encryption  on  a smart-card  would  be  to 
further  refine  the  definition  so  that  it  takes  power  analysis  into  account.  Or, 
perhaps  hardware  countermeasures  for  power  analysis  can  be  developed,  with 
the  effect  of  making  the  original  definition  (and  hence  the  original  scheme) 
appropriate  for  smart-cards.  The  point  is  that  with  a definition  you  at  least 
know  where  you  stand,  even  if  the  definition  turns  out  not  to  accurately  model 
the  particular  setting  in  which  a scheme  is  used.  In  contrast,  with  no  definition 
it  is  not  even  clear  what  went  wrong. 

This  possibility  of  a disconnect  between  a mathematical  model  and  the 
reality  it  is  supposed  to  be  modeling  is  not  unique  to  cryptography  but  is 
something  that  occurs  throughout  science.  To  take  an  example  from  the  field 
of  computer  science,  consider  the  meaning  of  a mathematical  proof  that  there 
exist  well-defined  problems  that  computers  cannot  solve.^  The  immediate 
question  that  arises  is  what  does  it  mean  for  “a  computer  to  solve  a problem”! 
Specifically,  a mathematical  proof  can  be  provided  only  when  there  is  some 
mathematical  definition  of  what  a computer  is  (or  to  be  more  exact,  what  the 
process  of  computation  is).  The  problem  is  that  computation  is  a real-world 
process,  and  there  are  rnany  different  ways  of  computing.  In  order  for  us  to  be 
really  convinced  that  the  “unsolvable  problem”  is  really  unsolvable,  we  must 
be  convinced  that  our  mathematical  definition  of  computation  captures  the 
real-world  process  of  computation.  How  do  we  know  when  it  does? 

This  inherent  difficulty  was  noted  by  Alan  Turing  who  studied  questions  of 
what  can  and  cannot  be  solved  by  a computer.  We  quote  from  his  original 
paper  [140]  (the  text  in  square  brackets  replaces  original  text  in  order  to  make 
it  more  reader  friendly) : 

No  attempt  has  yet  been  made  to  show  [that  the  problems  we  have 
defined  to  be  solvable  by  a computer]  include  [exactly  those  prob- 
lems] which  would  naturally  he  regarded  as  computable.  All  argu- 
ments which  can  be  given  are  hound  to  be,  fundamentally,  appeals 
to  intuition,  and  for  this  reason  rather  unsatisfactory  mathemati- 
cally. The  real  question  at  issue  is  “What  are  the  possible  processes 
which  can  be  carried  out  in  [computation] ?” 

The  arguments  which  I shall  use  are  of  three  kinds. 

(a)  A direct  appeal  to  intuition. 


^Those  who  have  taken  a course  in  computability  theory  will  be  familiar  with  the  fact  that 
such  problems  dp  indeed  exist  (e.g.,  the  Halting  Problem). 
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(b)  A proof  of  the  equivalence  of  two  definitions  (in  case  the  new 
definition  has  a greater  intuitive  appeal). 

(c)  Giving  examples  of  large  classes  of  [problems  that  can  be 
solved  using  a given  definition  of  computation]. 

In  some  sense,  Turing  faced  the  exact  same  problem  as  cryptographers.  He 
developed  a mathematical  model  of  computation  but  needed  to  somehow  be 
convinced  that  the  model  was  a good  one.  Likewise,  cryptographers  define 
notions  of  security  and  need  to  be  convinced  that  their  definitions  imply  mean- 
ingful security  guarantees  in  the  real  world.  As  with  Turing,  they  may  employ 
the  following  tools  to  become  convinced: 

1 . Appeals  to  intuition:  the  first  tool  when  contemplating  a new  definition 
of  security  is  to  see  whether  it  implies  security  properties  that  we  in- 
tuitively expect  to  hold.  This  is  a minimum  requirement,  since  (as  we 
have  seen  in  our  discussion  of  encryption)  our  initial  intuition  usually 
results  in  a notion  of  security  that  is  too  weak. 

2.  Proofs  of  equivalence:  it  is  often  the  case  that  a new  definition  of  secu- 
rity is  justified  by  showing  that  it  is  equivalent  to  (or  stronger  than)  a 
definition  that  is  older,  more  familiar,  or  more  intuitively-appealing. 

3.  Examples:  a useful  way  of  being  convinced  that  a definition  of  security 
suffices  is  to  show  that  the  different  real-world  attacks  we  are  familiar 
with  are  ruled  out  by  the  definition. 

In  addition  to  all  of  the  above,  and  perhaps  most  importantly,  we  rely  on  the 
test  of  time  and  the  fact  that  with  time,  the  scrutiny  and  investigation  of  both 
researchers  and  practitioners  testifies  to  the  soundness  of  a definition. 

1.4.2  Principle  2 — Reliance  on  Precise  Assumptions 

Most  modern  cryptographic  constructions  cannot  be  proven  secure  uncon- 
ditionally. Indeed,  proofs  of  this  sort  would  require  resolving  questions  in  the 
theory  of  computational  complexity  that  seem  far  from  being  answered  today. 
The  result  of  this  unfortunate  state  of  affairs  is  that  security  typically  relies 
upon  some  assumption.  The  second  principle  of  modern  cryptography  states 
that  assumptions. must  be  precisely  stated.  This  is  for  three  main  reasons: 

1.  Validation  of  the  assumption:  By  their  very  nature,  assumptions  are 
statements  that  are  not  proven  but  are  rather  conjectured  to  be  true. 
In  order  to  strengthen  our  belief  in  some  assumption,  it  is  necessary  for 
the  assumption  to  be  studied.  The  more  the  assumption  is  examined 
and  tested  without  being  successfully  refuted,  the  more  confident  we  are 
that  the  assumption  is  true.  Furthermore,  study  of  an  assumption  can 
provide  positive  evidence  of  its  validity  by  showing  that  it  is  implied  by 
some  other  assumption  that  is  also  widely  believed. 
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If  the  assumption  being  relied  upon  is  not  precisely  stated  and  presented, 
it  cannot  be  studied  and  (potentially)  refuted.  Thus,  a pre-condition  to 
raising  our  confidence  in  an  assumption  is  having  a precise  statement  of 
what  exactly  is  assumed. 

2.  Comparison  of  schemes:  Often  in  cryptography,  we  may  be  presented 
with  two  schemes  that  can  both  be  proven  to  satisfy  some  definition  but 
each  with  respect  to  a different  assumption.  Assuming  both  schemes  are 
equally  efficient,  which  scheme  should  be  preferred?  If  the  assumption 
on  which  one  scheme  is  based  is  weaker  than  the  assumption  on  which 
the  second  scheme  is  based  (i.e.,  the  second  assumption  implies  the 
first).,  then  the  first  scheme  is  to  be  preferred  since  it  may  turn  out 
that  the  second  assumption  is  false  while  the  first  assumption  is  true. 
If  the  assumptions  used  by  the  two  schemes  are  incomparable,  then 
the  general  rule  is  to  prefer  the  scheme  that  is  based  on  the  better- 
studied  assumption,  or  the  assumption  that  is  simpler  (for  the  reasons 
highlighted  in  the  previous  paragraphs). 

3.  Facilitation  of  proofs  of  security:  As  we  have  stated,  and  will  discuss 
in  more  depth  in  principle  3,  modern  cryptographic  constructions  are 
presented  together  with  proofs  of  security.  If  the  security  of  the  scheme 
cannot  be  proven  unconditionally  and  must  rely  on  some  assumption, 
then  a mathematical  proof  that  “the  construction  is  secure  if  the  as- 
sumption is  true”  can  only  be  provided  if  there  is  a precise  statement  of 
wha  t the  assumption  is. 

One  observation  is  that  it  is  always  possible  to  just  assume  that  a construc- 
tion itself  is  secure.  Insecurity  is  well  defined,  this  is  also  a precise  assumption 
(and  the  proof  of  security  for  the  construction  is  trivial)!  Of  course,  this  is 
not  accepted  practice  in  cryptography  for  a number  of  reasons.  First  of  all,  as 
noted  above,  an  assumption  that  has  been  tested  over  the  years  is  preferable 
to  a new  assumption  that  is  introduced  just  to  prove  a given  construction 
secure.  Second,  there  is  a general  preference  for  assumptions  that  are  simpler 
to  state,  since  such  assumptions  are  easier  to  study  and  to  refute.  So,  for 
example,  an  assumption  of  the  type  that  some  mathematical  problem  is  hard 
to  solve  is  simpler  to  study  and  work  with  than  an  assumption  that  an  encryp- 
tion schemes  satisfies  a complex  (and  possibly  unnatural)  security  definition. 
When  a simple  assumption  is  studied  at  length  and  still  no  refutation  is  found, 
we  have  greater  confidence  in  its  being  correct.  Another  advantage  of  relying 
on  “lower-level”  assumptions  (rather  than  just  assuming  a construction  is  se- 
cure) is  that  these  low-level  assumptions  can  typically  be  shared  amongst  a 
number  of  constructions.  If  a specific  instantiation  of  the  assumption  turns 
out  to  be  false,  it  can  simply  be  replaced  (within  any  higher-level  construction 
based  on  that  assumption)  by  a different  instantiation  of  that  assumption. 

The  above  methodology  is  used  throughout  this  book.  For  example.  Chap- 
ters 3 and  4 show  how  to  achieve  secure  communication  (in  a number  of  ways) , 
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assuming  that  a primitive  called  a “pseudorandom  function”  exists.  In  these 
chapters  nothing  is  said  at  all  about  how  such  a primitive  can  be  constructed. 
In  Chapter  5,  we  then  discuss  how  pseudorandom  functions  are  constructed 
in  practice,  and  in  Chapter  6 we  show  that  pseudorandom  functions  can  be 
constructed  from  even  lower-level  primitives. 

1.4.3  Principle  3 — Rigorous  Proofs  of  Security 

The  first  two  principles  discussed  above  lead  naturally  to  the  current  one. 
Modern  cryptography  stresses  the  importance  of  rigorous  proofs  of  security 
for  proposed  schemes.  The  fact  that  exact  definitions  and  precise  assumptions 
are  used  means  that  such  a proof  of  security  is  possible.  However,  why  is  a 
proof  necessary?  The  main  reason  is  that  the  security  of  a construction  or 
protocol  cannot  be  checked  in  the  same  way  that  software  is  typically  checked. 
For  example,  the  fact  that  encryption  and  decryption  “work”  and  that  the 
ciphertext  looks  garbled,  does  not  mean  that  a sophisticated  adversary  is 
unable  to  break  the  scheme.  Without  a proof  that  no  adversary  of  the  specified 
power  can  break  the  scheme,  we  are  left  only  with  our  intuition  that  this  is 
the  case.  Experience  has  shown  that  intuition  in  cryptography  and  computer 
security  is  disastrous.  There  are  countless  examples  of  unproven  schemes 
that  were  broken,  sometimes  immediately  and  sometimes  years  after  being 
presented  or  deployed.  “ . . 

Another  reason  why  proofs  of  security  are  so  important  is  related  to  the 
potential  damage  that  can  result  if  an  insecure  system  is  used.  Although  soft- 
ware bugs  can  sometimes  be  very  costly,  the  potential  damage  that  may  result 
from  someone  breaking  the  encryption  scheme  or  authentication  mechanism 
of  a bank  is  huge.  Finally,  we  note  that  although  many  bugs  exist  in  software, 
things  basically  work  due  to  the  fact  that  typical  users  do  not  try  to  make 
their  software  fail.  In  contrast,  attackers  use  amazingly  complex  and  intri- 
cate liieans  (utilizing  specific  properties  of  the  construction)  to  attack  security 
mechanisms  with  the  clear  aim  of  breaking  them.  Thus,  although  proofs  of 
correctness  are  always  desirable  in  computer  science,  they  are  absolutely  es- 
sential in  the  realm  of  cryptography  and  computer  security.  We  stress  that  the 
above  observations  are  not  just  hypothetical,  but  are  conclusions  that  have 
been  reached  after  years  of  empirical  evidence  and  experience. 

The  reductionist  approach.  We  conclude  by  noting  that  most  proofs  in 
modern  cryptography  use  what  may  be  called  the  reductionist  approach.  Given 
a theorem  of  the  form 

“Given  that  Assumption  X is  true,  Construction  Y is  secure  ac- 
cording to  the  given  definition”, 


a proof  typically  shows  how  to  reduce  the  problem  given  by  Assumption  X 
to  the  problem  of  breaking  Construction  Y.  More  to  the  point,  the  proof 
will  typically  show  (via  a constructive  argument)  how  any  adversary  breaking 
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Construction  Y can  be  used  as  a sub-routine  to  violate  Assumption  X.  We 
will  have  more  to  say  about  this  in  Section  3.1.3. 

Summary  — Rigorous  vs.  Ad-Hoc  Approaches  to  Security 

The  combination  of  the  above  three  principles  constitutes  a rigorous  ap- 
proach to  cryptography  that  is  distinct  from  the  ad-hoc  approach  of  classical 
cryptography.  The  ad-hoc  approach  may  fail  on  any  one  of  the  above  three 
principles,  but  often  ignores  them  all.  Unfortunately,  ad  hoc  solutions  are  still 
designed  and  deployed  by  those  who  wish  to  obtain  a “quick  and  dirty”  solu- 
tion to  a problem  (or  by  those  who  are  just  simply  unaware).  We  hope  that 
this  book  will  contribute  to  an  awareness  of  the  importance  of  the  rigorous 
approach,  and  its  success  in  developing  new,  mathematically-secure  schemes. 


References  and  Additional  Reading 


In  this  chapter,  we  have  studied  just  a few  of  the  known  historical  ciphers. 
There  are-jnany  others  of  both  historical  and  mathematical  interest,  and  we 
refer  the  reader  to  textbooks  by  Stinson  [138]  or  Trappe  and  Washington  [139] 
for  further  details.  The  role  of  these  schemes  in  history  (and  specifically  in 
the  history  of  war)  is  a fascinating  subject  that  is  covered  in  the  book  by 
Kahn  [81]. 

We  discussed  the  differences  between  the  historical,  non-rigorous  approach 
to  cryptography  (as  exemplified  by  historical  ciphers)  and  a rigorous  approach 
based  on  precise  definitions  and  proofs.  Shannon  [127]  was. the  first  to  take 
the  latter  approach.  Modern  cryptography,  which  relies  on  (computational) 
assumptions  in  addition  to  definitions  and  proofs,  was  begun  in  the  seminal 
paper  by  Goldwasser  and  Micali  [69].  We  will  study  this  in  Chapter  3.  A 
comprehensive  coverage  of  the  modern  cryptographic  approach  can  be  found 
in  Goldreich’s  work  on  the  Foundations  of  Cryptography  [64,  65].  Our  pre- 
sentation in  a number  of  places  was  influenced  by  this  work,  most  notably  in 
Chapter  6. 


Exercises 

1.1  Decrypt  the  ciphertext  provided  at  the  end  of  the  section  on  mono- 
alphabetic  substitution. 

1.2  Provide  a formal  definition  of  the  Gen,  Enc,  and  Dec  algorithms  for  both 
the  mono-alphabetic  substitution  and  Vigenere  ciphers. 
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1.3  Consider  an  improved  version  of  the  Vigen  ere  cipher,  where  instead 
of  using  multiple  shift  ciphers,  multiple  mono-alphabetic  substitution 
ciphers  are  used.  That  is,  the  key  consists  of  i random  permutations  of 
the  alphabet,  and  the  plaintext  characters  in  positions  i,t  + i,  2t  + i,  and 
so  on  are  encrypted  using  the  ith  permutation.  Show  how  to  break  this 
version  of  the  cipher. 

1.4  In  an  attempt  to  prevent  Kasiski’s  attack  on  the  Vigenere  cipher,  the 
following  modification  has  been  proposed.  Given  the  period  t of  the 
cipher,  the  plaintext  is  broken  up  into  blocks  of  size  t.  Recall  that  within 
each  block,  the  Vigenere  cipher  works  by  encrypting  the  ith  character 
with  the  ith  key  (using  a shift  cipher) . Letting  the  key  he  k\, kt,  this 
means  the  ith  character  in  each  block  is  encrypted  by  adding  ki  to  it, 
modulo  26.  The  proposed  modification  is  to  encrypt  the  ith  character 
in  the  jth  block  by  adding  ki  + j modulo  26. 

(a)  Show  that  decryption  can  be  carried  out. 

(b)  Describe  the  effect  of  the  above  modification  on  Kasiski’s  attack. 

(c)  Devise  an  alternate  way  to  determine  the  period  for  this  scheme. 

1.5  Show  that  the  shift,  substitution,  and  Vigenere  ciphers  are  all  trivial 
to  break  using  a known-plaintext  attack.  How  much  known  plaintext  is 
needed  to  completely  recover  the  key  for  each  of  the  ciphers? 

1.6  Show  that  the  shift,  substitution,  and  Vigenere  ciphers  are  all  trivial 
to  break  using  a chosen-plaintext  attack.  How  much  plaintext  must 

. be  encrypted  in  order  for  the  adversary  to  completely  recover  the  key? 
Compare  to  the  previous  question. 


Chapter  2 


Perfectly-Secret  Encryption 


In  the  previous  chapter,  we  presented  historical  encryption  schemes  (ciphers) 
and  showed  how  they  can  be  completely  broken  with  very  little  computa- 
tional effort.  In  this  chapter,  we  look  at  the  other  extreme  and  study  en- 
cryption schemes  that  are  provably  secure  even  against  an  adversary  who  has 
imbounded  computational  power.  Such  schemes  are  called  perfectly  secret.  We 
will  see  under  what  conditions  perfect  secrecy  can  and  cannot  be  achieved, 
and  why  this  is  the  case. 

The  material  in  this  chapter  belongs,  in  some  sense,  more  to  the  world  of 
“classical  cryptography”  than  to  the  world  of  “modern  cryptography”.  Be- 
sides the  fact  that  all  the  material  introduced  here  was  developed  before  the 
revolution  in  cryptography  that  took  place  in  the  mid-’70s  and  ’80s,  the  con- 
structions we  study  in  this  chapter  rely  only  on  the  first  and  third  principles 
outlined  in  Section  1.4.  That  is,  precise  mathematical  definitions  will  be  given 
and  rigorous  proofs  will  be  shown,  but  it  will  not  be  necessary  to  rely  on  any 
unproven  assumptions.  This  is  clearly  advantageous.  We  will  see,  however, 
that  such  an  approach  has  inherent  limitations.  Thus,  in  addition  td  serving 
as  a good  basis  for  understanding  the  principles  underlying  modern  cryptog- 
raphy, the  results  of  this  chapter  also  justify  our  later  adoption  of  all  three  of 
the  aforementioned  principles. 

In  this  chapter,  we  assume  a familiarity  with  basic  probability.  The  relevant 
notions  are  reviewed  in  Appendix  A. 3. 


2.1  Definitions  and  Basic  Properties 

We  begin  by  briefly  recalling  some  of  the  syntax  that  was  introduced  in 
the  previous  chapter.  An  encryption  scheme  is  defined  by  three  algorithms 
Gen,  Enc,  and  Dec,  as  well  as  a specification  of  a message  space  Ai  with 
|A4|  > 1.^  The  key-generation  algorithm  Gen  is  a probabilistic  algorithm  that 
outputs  a key  k chosen  according  to  some  distribution.  We  denote  by  K,  the 
key  space,  i.e.,  the  set  of  all  possible  keys  that  can  be  output  by  Gen,  and 


^If  I At  I = 1 there  is  only  one  message  and  there  is  no  point  in  communicating,  let  alone 
encrypting. 
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require  K,  to  be  finite.  The  encryption  algorithm  Enc  takes  as  input  a key 
k £ K.  and  a message  m £ Ad,  and  outputs  a ciphertext  c;  we  denote  this 
by  Encfc(m).  The  encryption  algorithm  may  be  probabilistic,  so  that  Encfc(m) 
might  output  a different  ciphertext  when  run  multiple  times.  To  emphasize 
this,  we  write  c -t—  Encfc(m)  to  denote  the  possibly  probabilistic  process  by 
which  message  m is  encrypted  using  key  k to  give  ciphertext  c.  (In  case  Enc 
is  deterministic,  we  may  emphasize  this  by  writing  c :=  Encfc(m).)  We  let  C 
denote  the  set  of  all  possible  ciphertexts  that  can  be  output  by  Encfc(m),  fo? 
all  possible  choices  of  /c  £ /C  and  m £ Ad  (and  for  all  random  choices  of  Enc 
in  case  it  is  randomized).  The  decryption  algorithm  Dec  takes  as  input  a key 
/c  £ /C  and  a ciphertext  c G C and  outputs  a message  m G A4.  Throughout 
the  book,  we  assume  that  encryption  schemes  are  perfectly  correct,  meaning 
that  for  all  /c  £ /C,  m £ Ad,  and  any  ciphertext  c output  by  Encfc(m),  it  holds 
that  Decfc(c)  = m with  probability  1.  This  implies  that  we  may  assume  Dec 
is  deterministic  without  loss  of  generality  (since  Decfc(c)  must  give  the  same 
output  every  time  it  is  run).  We  will  thus  write  m :=  Decfc(c)  to  denote  the 
process  of  decrypting  ciphertext  c using  key  k. 

In  the  definitions  and  theorems  below,  we  refer  to  probability  distributions 
over  /C,  Ad,  and  C.  The  distribution  over  K,  is  simply  the  one  that  is  defined  by 
running  Gen  and  taking  the  output.  (As  noted  previously,  it  is  almost  always 
the  case  that  Gen  chooses  a key  uniformly  from  /C;  moreover,  this  may  be  as- 
sumed to  be  the  case  without  loss  of  generality.)  For  k G /C,  we  let  Pr[K  = k] 
denote  the  probability  that  the  key  output  by  Gen  is  equal  to  k.  (Formally, 
X is  a random  variable  denoting  the  value  of  the  key.)  Similarly,  for  m G A4 
we  let  Pr[M  = m]  denote  the  probability  that  the  message  is  equal  to  m. 
The  fact  that  the  message  is  chosen  according  to  some  distribution  (rather 
than  being  fixed)  is  meant  to  model  the  fact  that,  at  least  from  the  point  of 
view  of  the  adversary,  different  messages  have  different  probabilities  of  being 
sent.  (If  the  adversary  knows  what  message  is  being  sent,  then  it  doesn’t  need, 
to  decrypt  anything  and  there  is  no  need  for  the  parties  to  use  encryption!) 
As  an  example,  the  adversary  may  know  that  the  encrypted  message  is  eb 
ther  attack  tomorrow  or  don’t  attack.  Furthermore,  the  adversary  may 
even  know  (by  other  means)  that  with  probability  0.7  the  message  will  be  a 
.command  to  attack  and  with  probability  0.3  the  message  will  be  a command 
not  to  attack.  In  this  case,  we  have  Pr[M  = attack  tomorrow]  = 0.7  and 
Pr[M  = don’t  attack]  = 0.3. 

The  distributions  over  /C  and  Ad  are  independent,  i.e.,  the  key  and  message 
are  chosen  independently.  This  is  the  case  because  the  key  is  chosen  and  fixed 
(i.e.,  shared  by  the  communicating  parties)  before  the  message  is  known. 
Furthermore,  the  distribution  over  /C  is  fixed  by  the  encryption  scheme  itself 
(since  it  is  defined  by  Gen)  while  the  distribution  over  Ad  may  vary  depending 
on  the  parties  who  are  using  the  encryption  scheme. 

For  c £ C,  we  write  Pr[C  = c]  to  denote  the  probability  that  the  ciphertext 
is  c.  Given  the  encryption  algorithm  Enc,  the  distribution  over  C is  fully 
determined  by  the  distributions  over  /C  and  Ad . 
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The  definition.  We  are  now  ready  to  define  the  notion  of  perfect  secrecy. 
Intuitively,  we  imagine  an  adversary  who  knows  the  probability  distribution 
over  A4]  that  is,  the  adversary  knows  the  likelihood  that  different  messages 
will  be  sent  (as  in  the.  example  given  above).  The  adversary  then  observes 
some  ciphertext  being  sent  by  one  party  to  the  other.  Ideally,  observing  this 
ciphertext  should  have  no  effect  on  the  knowledge  of  the  adversary;  in  other 
words,  the  a posteriori  likelihood  that  some  message  m was  sent  (even  given 
the  ciphertext  that  was  seen)  should  be  no  different  from  the  a priori  proba- 
bility that  m would  be  sent.  This  should  hold  for  any  m G Ai.  Furthermore, 
this  should  hold  even  if  the  adversary  has  unbounded  computational  power. 
This  means  that  a ciphertext  reveals  nothing  about  the  underlying  plaintext, 
and  thus  an  adversary  who  intercepts  a ciphertext  learns  absolutely  nothing 
about  the  plaintext  that  was  encrypted.  Formally: 

DEFINITION  2.1  An  encryption  scheme  (Gen,  Enc,  Dec)  over  a message 
space  Ai  is  perfectly  secret  if  for  every  probability  distribution  over  Ad,  every 
message  m G Ai,  and  every  ciphertext  c G C for  which  Pr[C  = c]  > 0; 

Pr[M  = m I C = c]  = Pr[M  = m]. 

(The  requirement  that  Pr[C  = c]  > 0 is  a technical  one  needed  to  prevent 
conditioning  on  a zero-probability  event.)  Another  way  of  interpreting  Defini- 
tion 2.1  is  that  a scheme  is  perfectly  secret  if  the  distributions  over  messages 
and  ciphertexts  are  independent. 

A simplifying  convention.  In  this  chapter,  we  consider  only  probability 
distributions  over  A4  and  C that  assign  non-zero  probabilities  to  all  m G Ad 
and  c G C.^  This  significantly  simplifies  the  presentation,  because  we  often 
need  to  divide  by  Pr[M  = m]  or  Pr[C  = c],  which  is  a problem  if  they  may 
equal  zero.  Likewise,  as  in  Definition  2.1  we  sometimes  need  to  condition  on 
the  event  C = c or  M ='  m.  This  too  is  problematic  if  those  events  have  zero 
probability.  Due  to  this  simplifying  convention,  we  will  not  mention  from  here 
on  the  requirement  that  Pr[M  = m]  > 0 or  Pr[C  = c]  > 0,  even  though  it  is 
actually  required. 

We  stress  that  this  convention  is  only  meant  to  simplify  the  exposition  and 
is  not  a fundamental  limitation.  In  particular  all  the  theorems  we  prove  can 
be  appropriately  adapted  to  the  case  of  arbitrary  distributions  over  A4  and 
C (that  may  assign  some  messages  or  ciphertexts  probability  0).  See  also 
Exercise  2.6.,  / 

An  equivalent  formulation.  The  following  lemma  gives  an  equivalent  for- 
mulation of  Definition  2.1. 


^We  remark  that  this  holds  always  for  k G IC  because  IC  is  defined  as  the  set  of  keys  output 
by  Gen  with  non-zero  probability. 
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LEMMA  2.2  An  encryption  scheme  (Gen,  Enc,  Dec)  over  a message  space 
M is  perfectly  secret  if  and  only  if  for  every  probability  distribution  over  M, 
every  message  m E A4,  and  every  ciphertext  c E C: 

Pr[C  = c \ M = m]  = Pr[C  = c]. 


PROOF  Fix  a distribution  over  A4  and  arbitrary  m E M and  c E C.  Say 

Pr[C  = c \ M = m]  — Pr[C  = c]. 

Multiplying  both  sides  of  the  equation  by  Pr[M  = m]/Pr[C  = c]  gives 


Pr[C  = c I M = m]  • Pr[M  = m 
Pr[C  = c] 


= Pr[M  = m] . 


Using  Bayes’  theorem  (see  Theorem  A. 8),  the  left-hand-side  is  exactly  equal 
to  Pr[M  = m I C = c].  Thus,  Pr[M  = m \ C = c]  = Pr[M  = m]  and  the 
scheme  is  perfectly  secret. 

The  other  direction  of  the  proof  is  left  as  an  exercise.  | 


We  emphasize  that  in  the  above  proof  we  used  the  fact  that  (by  the  sim- 
plifying convention  mentioned  earlier)  both  m E A4  and  c E C are  assigned 
non-zero  probabilities,  enabling  division  by  Pr[C  = c]  and  conditioning  on  the 
event  M = m. 

Perfect  indistinguishability.  We  now  use  Lemma  2.2  to  obtain  another 
equivalent  and  useful  formulation  of  perfect  secrecy.  This  formulation  states 
that  the  probability  distribution  over  C is  independent  of  the  plaintext.  That 
is,  let  C{m)  denote  the  distribution  of  the  ciphertext  when  the  message  be- 
ing encrypted  is  m G Ad  (this  distribution  depends  on  the  choice  of  key,  as 
well  as  the  randomness  of  the  encryption  algorithm  in  case  it  is  probabilistic). 
Then  the  claim  is  that  for  every  mo,  mi  E A4,  the  distributions  C(mo)  and 
C(mi)  are  identical.  This  is  just  another  way  of  saying  that  the  ciphertext 
contains  no  information  about  the  plaintext.  We  refer  to  this  formulation  as 
perfect  indistinguishability  because  it  implies  that  it  is  impossible  to  distin- 
guish an  encryption  of  mg  from  an  encryption  of  mi  (due  to  the  fact  that  the 
distribution  over  the  ciphertext  is  the  same  in  each  case). 


LEMMA  2.3  An  encryption  scheme  (Gen,  Enc,  Dec)  over  a message  space 
A4  is  perfectly  secret  if  and  only  if  for  every  probability  distribution  over  Ai, 
every  mo,  mi  E Ai,  and  every  c E C: 


1 


Pr[C  = c I M = mo]  = Pr[C  = c | M = mi  . 
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PROOF  Assume  that  the  encryption  scheme  is  perfectly  secret  and  fix 
messages  mo,  mi  G Ai  and  a ciphertext  c G C.  By  Lemma  2.2  we  have 

Pr[C  = c 1 M = mo]  = Pr[C  = c]  = Pr[C  = c | M = mi], 

completing  the  proof  of  the  first  direction. 

Assume  next  that  for  every  distribution  over  A4,  every  mo,  mi  G A4,  and 
every  c G C it  holds  that  Pr[C  = c | M = mo]  = Pr[C  = c | M = mi].  Fix 

def 

some  distribution  over  A4,  and  an  arbitrary  mo  G A4  and  c G C.  Define  p = 
Pr[C  = c I M = mo].  Since  Pr[C  = c | M = m]  = Pr[C  = c | M = mo]  = p 
for  all  m,  we  have 

Pr[C  = c]  — Pr[C  = c I M = m]  • Pr[M  = m] 

= p • Pr[M  = m] 

= p • Pr[M  = m] 

= P 

= Pr[C  = c I M = mo]. 

Since  mo  was  arbitrary,  we  have  shown  that  Pr[C  = c]  = Pr[C  = c | M = m] 
for  all  c G C and  m G Ai.  Applying  Lemma  2.2,  we  conclude  that  the 
encryption  scheme  is  perfectly  secret.  | 

Adversarial  indistinguishability.  We  conclude  this  section  by  presenting 
another  equivalent  definition  of  perfect  secrecy.  This  definition  is  based  on 
an  experiment  involving  an  adversary  A,  and  formalizes  A’s  inability  to  dis- 
tinguish the  encryption  of  one  plaintext  from  the  encryption  of  another;  we 
thus  call  it  adversarial  indistinguishability.  This  definition  will  serve  as  our 
starting  point  when  we  introduce  the  notion  of  computational  security  in  the 
next  chapter.  Throughout  the  book  we  will  often  use  experiments  in  order  to 
define  security.  These  “experiments”  are  essentially  a game  played  between 
an  adversary  trying  to  break  a cryptographic  scheme  and  an  imaginary  tester 
who  wishes  to  see  if  the  adversary  succeeds. 

We  define  an  experiment  that  we  call  PrivK^®''  since  it  considers  the  setting 
of  private-key  encryption  and  an  eavesdropping  adversary  (the  adversary  is 
eavesdropping  because  it  only  receives  a ciphertext  c and  then  tries  to  de- 
termine something  about  the  plaintext).  The  experiment  is  defined  for  any 
encryption  scheme  II  = (Gen,  Enc,  Dec)  over  message  space  Ai  and  for  any 
adversary  A.  We  let  PrivK^^j  denote  an  execution  of  the  experiment  for  a 
given  n and  A.  The  experiment  is  defined  as  follows: 
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The  eavesdropping  indistinguishability  experiment  PrivK^jj.* 

1.  The  adversary  A outputs  a pair  of  messages  mo,  mi  G Ai- 

2.  A random  key  k is  generated  by  running  Gen,  and  a random 
hit  b <—  {0, 1}  is  chosen.  {These  are  chosen  by  some  imagi- 
nary entity  that  is  running  the  experiment  with  A.)  Then,  a 
ciphertext  c <—  Encfc(m6)  is  computed  and  given  to  A. 

3.  A outputs  a hit  h' . 

4-  The  output  of  the  experiment  is  defined  to  be  1 if  b'  = h,  and 
0 otherwise.  We  write  PrivK^jj  = 1 if  the  output  is  1 and  in 
this  case  we  say  that  A succeeded. 

One  should  think  of  A as  trying  to  guess  the  value  of  h that  is  chosen  in  the 
experiment,  and  A succeeds  when  its  guess  h'  is  correct.  Observe  that  it  is 
always  possible  for  A to  succeed  in  the  experiment  with  probability  one  half 
by  just  guessing  b'  randomly.  The  question  is  whether  it  is  possible  for  A 
to  do  any  better  than  this.  The  alternate  definition  we  now  give  states  that 
an  encryption  scheme  is  perfectly  secret  if  no  adversary  A can  succeed  with 
probability  any  better  than  one  half.  We  stress  that,  as  is  the  case  throughout 
this  chapter,  there  is  no  limitation  whatsoever  on  the  computational  power 
of  A. 

DEFINITION  2.4  An  encryption  scheme  (Gen,  Enc,  Dec)  over  a message 
space  Ai  is  perfectly  secret  if  for  every  adversary  A it  holds  that 

Pr  [PrivK^n  = A = \- 

The  following  proposition  states  that  Definition  2.4  is  equivalent  to  Defini- 
tion 2.1.  We  leave  the  proof  of  the  proposition  as  an  exercise. 

PROPOSITION  2.5  Let  (Gen,  Enc,  Dec)  be  an  encryption  scheme  over 
a message  space  A4.  Then  (Gen,  Enc,  Dec)  is  perfectly  secret  with  respect  to 
Definition  2.1  if  and  only  if  it  is  perfectly  secret  with  respect  to  Definition  2.4- 


2.2  The  One-Time  Pad  (Vernam’s  Cipher) 

In  1917,  Vernam  patented  a cipher  now  called  the  one-time  pad  that  obtains 
perfect  secrecy.  There  was  no  proof  of  this  fact  at  the  time  (in  fact,  there  was 
not  yet  a notion  of  what  perfect  secrecy  was).  Rather,  approximately  25  years 
later.  Shannon  introduced  the  notion  of  perfect  secrecy  and  demonstrated  that 
the  one-time  pad  achieves  this  level  of  security. 
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Let  a 0 5 denote  the  bitwise  exclusive-or  (XOR)  of  two  binary  strings  a and 
b (i.e.,  if  a = ai and  b — bi, ...  ,b£,  then  a © 6 = ai  © 6i, . . . , 0 6^). 

The  one-time  pad  encryption  scheme  is  defined  as  follows: 

1.  Fix  an  integer  i > 0.  Then  the  message  space  A^,  key  space  /C,  and 
ciphertext  space  C are  all  equal  to  {0, 1}^  (i-e.,  the  set  of  all  binary 
strings  of  length  £). 

2.  The  key-generation  algorithm  Gen  works  by  choosing  a string  from  K-  = 
{0, 1}^  according  to  the  uniform  distribution  (i.e.,  each  of  the  2^  strings 
in  the  space  is  chosen  as  the  key  with  probability  exactly  2~^). 

3.  Encryption  Enc  works  as  follows;  given  a key  k G {0, 1}^  and  a message 
m G {0, 1}^,  output  c k®  m. 

4.  Decryption  Dec  works  as  follows:  given  a key  k G {0, 1}^  and  a ciphertext 
c G {0, 1}^,  output  m k ® c. 

Before  discussing  the  security  of  the  one-time  pad,  we  note  that  for  every 
k and  every  m it  holds  that  DeCfc(EnCfc(m))  = k®k®m  = m and  so  the 
one-time  pad  constitutes  a legal  encryption  scheme. 

Intuitively,  the  one-time  pad  is  perfectly  secret  because  given  a ciphertext  c, 
there  is  no  way  an  adversary  can  know  which  plaintext  m it  originated  from. 
In  order  to  see  why  this  is  true,  notice  that  for  every  possible  m there  exists  a 
key  k such  that  c = Encfc(m);  namely,  take  k = m ® c.  Furthermore,  each  key 
is  chosen  with  uniform  probability  (and  hidden  from  the  adversary)  and  so 
no  key  is  more  likely  than  any  other.  Combining  the  above,  we  obtain  that  c 
reveals  nothing  whatsoever  about  which  plaintext  m was  encrypted,  because 
every  plaintext  is  equally  likely  to  have  been  encrypted.  We  now  prove  this 
intuition  formally:  _ . 

THEOREM  2.6  The  one-time  pad  encryption  scheme  is  perfectly -secret. 

PROOF  Fix  some  distribution  over  Ai  and  fix  an  arbitrary  m G and 
c G C.  The  key  observation  is  that  for  the  one-time  pad, 

Pr[C  = c I M = m]  = Pr[M  ©A'  = c|M  = m] 

= Pr[m  © X = c]  = Px[K  — m®  c]  = 

2^ 

Since  this  holds  for  all  distributions  and  all  m,  we  have  that  for  every  proba- 
bility distribution  over  A^,  every  mg, mi  G Ad  and  every  c G C, 

Pr[C  = c \ M — mo]  — = Pr[C  = c | M = mij. 

2^ 

By  Lemma  2.3,  this  implies  that  the  encryption  scheme  is  perfectly  secret. 
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We  conclude  that  perfect  secrecy  is  attainable.  Unfortunately,  the  one-time 
pad  encryption  scheme  has  a number  of  drawbacks.  Most  prominent  is  that 
the  key  is  required  to  he  as  long  as  the  message.  First  and  foremost,  this  means 
that  a long  key  must  be  securely  stored,  something  that  is  highly  problematic 
in  practice  and  often  not  achievable.  In  addition,  this  limits  applicability  of 
the  scheme  if  we  want  to  send  very  long  messages  (as  it  may  be  difficult  to 
securely  store  a very  long  key)  or  if  we  don’t  know  in  advance  an  upper  bound 
on  how  long  the  message  will  be  (since  we  can’t  share  a key  of  unbounded 
length).  Moreover,  the  one-time  pad  scheme  — as  the  name  indicates  — is 
only  “secure”  if  used  once  (with  the  same  key).  Although  we  did  not  yet  define 
a notion  of  security  when  multiple  messages  are  encrypted,  it  is  easy  to  see 
informally  that  encrypting  more  than  one  message  leaks  a lot  of  information. 
In  particular,  say  two  messages  m,m'  are  encrypted  using  the  same  key  k. 
An  adversary  who  obtains  c = m 0 A:  and  c'  = m'  ®k  can  compute 

c 0 c'  = (m  0 /c)  0 (m'  0 k) 

= m 0 m' 

and  thus  learn  something  about  the  exclusive-or  of  the  two  messages.  While 
this  may  not  seem  very  significant,  it  is  enough  to  rule  out  any  claims  of  perfect 
secrecy  when  encrypting  two  messages.  Furthermore,  if  the  messages  corre- 
spond to  English-language  text,  then  given  the  exclusive-or  of  two  sufficiently- 
long  messages,  it  has  been  shown  to  be  possible  to  perform  frequency  analysis 
(as  in  the  previous  chapter,  though  more  complex)  and  recover  the  messages 
themselves. 


2.3  Limitations  of  Perfect  Secrecy 

In  this  section,  we  show  that  the  aforementioned  limitations  of  the  one-time 
pad  encryption  scheme  are  inherent.  Specifically,  we  prove  that  any  perfectly- 
secret  encryption  scheme  must  have  a key  space  that  is  at  least  as  large  as 
the  message  space.  If  the  key  space  consists  of  fixed-length  keys,  and  the 
message  space  consists  of  all  messages  of  some  fixed  length,  this  implies  that 
the  key  must  be  at  least  as  long  as  the  message.  Thus,  the  problem  of  a large 
key  length  is  not  specific  to  the  one-time  pad,  but  is  inherent  to  any  scheme 
achieving  perfect  secrecy.  (The  other  limitation  regarding  the  fact  that  the 
key  can  only  be  used  once  is  also  inherent  in  the  context  of  perfect  secrecy; 
see,  e.g..  Exercise  2.9.) 


THEOREM  2.7  Let  (Gen,  Enc, 

over  a message  space  Ai,  and  let 
Then  \JC\  > |A^|. 


Dec)  be  a perfectly- secret  encryption  scheme 
K,  he  the  key  space  as  determined  hy  Gen. 


% 
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PROOF  We  show  that  if  |/C|  < |A^|  then  the  scheme  is  not  perfectly  secret. 
Assume  |/C|  < |A4|.  Consider  the  uniform  distribution  over  Ad  and  let  c G C 
be  a ciphertext  that  occurs  with  non-zero  probability.  Let  Ad(c)  be  the  set  of 
all  possible  messages  which  are  possible  decryptions  of  c;  that  is 

A4(c)  {m  I rh  = Dec^(c)  for  some  k G /C}. 

Clearly  \A4{c)\  < |/C|  since  for  each  message  m G Ad(c)  we  can  identify  at 
least  one  key  k E IC  for  which  rh  — Dec^(c).  (Recall  that  we  assume  Dec  is 
deterministic.)  Under  the  assumption  that  |/C|  < |A4|,  this  means  that  there 
is  some  m'  G Ad  such  that  m'  ^ Ad(c).  But  then 

Pr[M  = 171  \ C — c\—t)^  Pr[M  = m'], 

and  so  the  scheme  is  not  perfectly  secret.  | 


Perfect  secrecy  at  a lower  price?  The  above  theorem  shows  an  inherent 
limitation  of  schemes  that  achieve  perfect  secrecy.  Even  so,  it  is  often  claimed 
by  individuals  and/or  companies  that  they  have  developed  a radically  new 
encryption  scheme  that  is  unbreakable  and  achieves  the  security  level  of  the 
one-time  pad  without  using  long  keys.  The  above  proof  demonstrates  that 
such  claims  cannot  be  true;  the  person  claiming  them  either  knows  very  little 
about  cryptography  or  is  blatantly  lying. 


2.4  * Shannon’s  Theorem 

In  his  breakthrough  work  on  perfect  secrecy,  Shannon  also  provided  a char- 
acterization of  perfectly-secret  encryption  schemes.  As  we  shall  see  below, 
this  characterization  says  that,  assuming  |/C|  = |Ad|  = \C\,  the  key-generation 
algorithm  Gen  must  choose  a secret  key  uniformly  from  the  set  of  all  possi- 
ble keys  (as  in  the  one-time  pad),  and  that  for  every  plaintext  message  and 
ciphertext  there  exists  a single  key  mapping  the  plaintext  to  the  ciphertext 
(again,  as  in  the  one-time  pad).  Beyond  being  interesting  in  its  own  right,  this 
theorem  is  a powerful  tool  for  proving  (or  contradicting)  the  perfect  secrecy 
of  suggested  schemes.  We  discuss  this  further  after  the  proof. 

As  before,  we  assume  that  the  probability  distributions  over  Ad  and  C are 
such  that  all  m G Ad  and  c G C are  assigned  non-zero  probabilities.  The 
theorem  here  considers  the  special  case  when  |Ad|  = |/C|  = |C|,  meaning  that 
the  sets  of  plaintexts,  keys,  and  ciphertexts  are  all  of  the  same  size.  We  have 
already  seen  that  |/C|  > |Ad|.  It  is  easy  to  see  that  \C\  must  also  be  at  least  the 
size  of  |Ad  I because  otherwise  for  every  key,  there  must  be  two  plaintexts  that 
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are  mapped  to  a single  ciphertext  (making  it  impossible  to  unambiguously 
decrypt).  Therefore,  in  some  sense,  the  case  of  \Ai\  — |/C|  = \C\  is  the  “most 
efficient”.  We  are  now  ready  to  state  the  theorem: 


THEOREM  2.8  (Shannon’s  theorem)  Let  (Gen,  Enc,  Dec)  be  an  en- 
cryption scheme  over  a message  space  A4  for  which  \M\  = |/G|  = \C\.  The 
scheme  is  perfectly  secret  if  and  only  if: 

1.  Every  key  k G IC  is  chosen  with  equal  probability  1/|/C|  by  algorithm  Gen. 

2.  For  every  m G A4  and  every  c G C,  there  exists  a unique  key  k G JC  such 
that  Encfc(m)  outputs  c. 

PROOF  The  intuition  behind  the  proof  of  this  theorem  is  as  follows.  First, 
if  a scheme  fulfills  item  (2)  then  a given  ciphertext  c could  be  the  result  of 
encrypting  any  possible  plaintext  m (this  holds  because  for  every  m there 
exists  a key  k mapping  it  to  c).  Combining  this  with  the  fact  that  exactly 
one  key  maps  each  m to  c,  and  by  item  (1)  each  key  is  chosen  with  the  same 
probability,  perfect  secrecy  can  be  shown  as  in  the  case  of  the  one-time  pad. 
For  the  other  direction,  the  intuition  is  that  if  \M\  — |/C|  = \C\  then  there 
must  be  exactly  one  key  mapping  each  m to  each  c.  (Otherwise,  either  some 
m is  not  mapped  to  a given  c contradicting  perfect  secrecy,  or  some  m is 
mapped  by  more  than  one  key  to  c,  resulting  in  another  m'  not  being  mapped 
to  c,  again  contradicting  perfect  secrecy.)  Given  this,  it  must  hold  that  each 
key  is  chosen  with  equal  probability  or  some  plaintexts  would  be  more  likely 
than  others,  contradicting  perfect  secrecy.  The  formal  proof  follows. 

Let  (Gen,  Enc,  Dec)  be  as  in  the  theorem.  For  simplicity,  we  assume  Enc  is 
deterministic.  We  first  prove  that  if  (Gen,  Enc,  Dec)  is  perfectly  secret,  then 
items  (1)  and  (2)  hold.  As  in  the  proof  of  Theorem  2.7,  it  is  not  hard  to  see 
that  for  every  m G A4  and  c G C,  there  exists  at  least  one  key  k G K-  such 
that  Encfc(m)  - c.  (Otherwise,  Pr[M  = m|G'  = c]=07^;  Pr[M  - m].) 
For  a fixed  m,  consider  now  the  set  {EnCfc(m)}fceA:.  By  what  we  have  just 
said,  |{EnCfc(m)}fceA:|  > |G|  (because  for  every  c G C there  exists  a k G K,  such 
that  Encfc(m)  = c).  In  addition,  we, trivially  have  |{EnCfc(m)}fcgA: I < |C|.  We 
conclude  that 

|{Encfc(m)}fcex:|  = \C\. 

Since  |/C|  = \C\,  it  follows  that  |{EnCfc(m)}fcgA: I = |^|-  This  implies  that  there 
are  no  distinct  keys  ki,k2  G /C  with  EhCfci(m)  = Encfc2(m).  Since  m was 
arbitrary,  we  see  that  for  every  m and  c,  there  exists  at  most  one  key  k G K, 
such  that  Encfc(m)  = c.  Combining  the  above  (i.e.,  the  existence  of  at  least 
one  key  and  at  most  one  key),  we  obtain  item  (2). 

We  proceed  to  show  that  for  every  k G 1C,  Pr[if  = k]  = 1/|A^1-  Let  n — |/C| 
and  A4  ~ {mi,...,mn}  (recall,  |Af|  = |/C|  = n),  and  fix  a ciphertext  c. 
Then,  we  can  label  the  keys  ki, ...  ,kn  so  that  for  every  z (1  < z < n)  it  holds 
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that  Encfcj(mj)  = c.  This  labeling  can  be  carried  out  because,  as  just  shown, 
for  every  c and  there  exists  a unique  key  ki  such  that  Encfc.  (mj)  = c, 
and  furthermore  these  keys  are  distinct  for  distinct  , ruj  (since  otherwise 
unambiguous  decryption  would  be  impossible).  By  perfect  secrecy  we  have 
that  for  every  i\ 

Pr[M  = mi]  = Pr[M  = | C = c] 

Pr[C  = c I M = mi]  ■ Pr[M  = m*] 

= Pr[C  = c] 

Pr[i^  = ki]  • Pr[M  = mi] 

^ Pr[C  = c]  ’ 

where  the  second  equality  is  by  Bayes’  theorem  and  the  third  equality  holds 
by  the  labeling  above  (i.e.,  ki  is  the  unique  key  that  maps  to  c).  Prom  the 
above,  it  follows  that  for  every  i, 

Fr[K  = ki]  =Pr[C  = c]. 

Therefore,  for  every  i and  j,  Pr[X  = ki]  = Pr[C  = c]  = Pr[X  = kj]  and  so  all 
keys  are  chosen  with  the  same  probability.  We  conclude  that  keys  are  chosen 
according  to  the  uniform  distribution.  That  is,  for  every  k,  Pr[X  = ki]  = 1/|/C| 
as  required. 

We  now  prove  the  other  direction  of  the  theorem.  Assume  that  every  key 
is  obtained  with  probability  1/|/C|  and  that  for  every  m G Ad' and  c^C  there 
is  a unique  key  k G )C  such  that  Encfc(m)  = c.  This  immediately  implies  that 
for  every  m and  c, 

= c I M = m]  = 

irrespective  of  the  probability  distribution  over  A4 . Thus,  for  every  probability 
distribution  over  Ad,  every  m,m'  G Ad,  and  every  c G C we  have 

Pr[C  =■  c I M = m]  = = Pr[C  = c | M — m'], 

|/C| 

and  so  by  Lemma  2.3  the  encryption  scheme  is  perfectly  secret.  | 

Uses  of  Shannon’s  theorem.  Theorem  2.8  is  of  interest  in  its  own  right  in 
that  it  essentially  gives  a complete  characterization  of  perfectly-secret  encryp- 
tion schemes.  In  addition,  since  items  (1)  and  (2)  have  nothing  to  do  with  the 
probability  distribution  over  the  set  of  plaintexts  Ad,  the  theorem  implies  that 
if  there  exists  an  encryption  scheme  that  provides  perfect  secrecy  for  a spe- 
cific probability  distribution  over  Ad  then  it  actually  provides  perfect  secrecy 
in  general  (i.e.,  for  all  probability  distributions  over  Ad).  Finally,  Shannon’s 
theorem  is  extremely  useful  for  proving  whether  a given  scheme  is  or  is  not 
perfectly  secret.  Item  (1)  is  easy  to  confirm  and  item  (2)  can  be  demonstrated 
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(or  contradicted)  without  analyzing  any  probabilities  (in  contrast  to  working 
with,  say,  Definition  2.1).  For  example,  the  perfect  secrecy  of  the  one-time 
pad  (Theorem  2.6)  is  trivial  to  prove  using  Shannon’s  theorem.  We  warn, 
however,  that  Theorem  2.8  only  holds  if  \M.\  = |/C|  = |C|,  and  so  one  must  be 
careful  to  apply  it  only  in  this  case. 


2.5  Summary 

This  completes  our  treatment  of  perfectly-secret  encryption.  The  main  les- 
son of  this  chapter  is  that  perfect  secrecy  is  attainable,  meaning  that  there  exist 
encryption  schemes  with  the  property  that  the  ciphertext  reveals  absolutely 
nothing  about  the  plaintext,  even  to  an  adversary  with  unlimited  computa- 
tional power.  However,  all  such  schemes  have  the  limitation  that  the  key  must 
be  at  least  as  long  as  the  message.  In  practice,  therefore,  perfectly-secret  en- 
cryption is  rarely  used.  We  remark  that  it  is  rumored  that  the  “red  phone” 
linking  the  White  House  and  the  Kremlin  during  the  Cold  War  was  protected 
using  one-time  pad  encryption.  Of  course,  the  governments  of  the  US  and 
USSR  could  exchange  extremely  long  random  keys  without  great  difficulty, 
and  therefore  practically  use  the  one-time  pad.  However,  in  most  settings 
(especially  commercial  ones),  the  limitation  regarding  the  key  length  makes 
the  one-time  pad  or  any  other  perfectly-secret  scheme  unusable. 


References  and  Additional  Reading 

The  notion  of  perfectly-secret  encryption  was  introduced  and  studied  in  the 
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cussion of  perfect  secrecy. 

In  this  chapter  we  have  briefly  studied  perfectly-secure  encryption.  There 
are  other  cryptographic  problems  that  can  also  be  solved  with  “perfect”  secu- 
rity. A notable  example  is  the  problem  of  message  authentication  where  the 
aim  is  to  prevent  an  adversary  from  modifying  a message  (ip  an  undetectable 
manner)  en  route  from  one  party  to  another;  we  study  this  problem  in  depth 
in  Chapter  4 in  the  computational  setting.  The  reader  interested  in  learn- 
ing about  perfectly-secure  message  authentication  is  referred  to  the  paper  by 
Stinson  [136],  the  survey  by  Simmons  [134],  or  the  first  edition  of  Stinson’s 
textbook  [137,  Chapter  10]  for  further  information. 
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Exercises 

2.1  Prove  the  second  direction  of  Lemma  2.2. 

2.2  Prove  or  refute:  For  every  encryption  scheme  that  is  perfectly  secret 
it  holds  that  for  every  distribution  over  the  message  space  Ad,  every 
m,m'  G Ai,  and  every  c G C: 

Pr[M  = m I C = c]  = Pr[M  = | C = c] . 

2.3  When  using  the  one-time  pad  (Vernam’s  cipher)  with  the  key  k — 0^,  it 
follows  that  EnCfc(m)  — k ® m — m and  the  message  is  effectively  sent 
in  the  clear!  It  has  therefore  been  suggested  to  improve  the  one-time 
pad  by  only  encrypting  with  a key  k ^ 0^  (i-e.,  to  have  Gen  choose  k 
uniformly  at  random  from  the  set  of  non- zero  keys  of  length  €).  Is  this 
an  improvement?  In  particular,  is  it  still  perfectly  secret?  Prove  your 
answer.  If  your  answer  is  positive,  explain  why  the  one-time  pad  is  not 
described  in  this  way.  If  your  answer  is  negative,  reconcile  this  with  the 
fact  that  encrypting  with  0^  doesn’t  change  the  plaintext. 

2.4  In  this  exercise,  we  study  conditions  under  which  the  shift,  mono- alphabet 
substitution,  and  Vigenere  ciphers  are  perfectly  secret: 

(a)  Prove  that  if  only  a single  character  is  encrypted,  then  the  shift 
cipher  is  perfectly  secret. 

(b)  What  is  the  largest  plaintext  space  Ad  you  can  find  for  which 
the  mono-alphabetic  substitution  cipher  provides  perfect  secrecy? 
(Note:  Ad  need  not  contain  only  valid  English  words.) 

(c)  Show  how  to  use  the  Vigenere  cipher  to  encrypt  any  word  of  length  t 
so  that  perfect  secrecy  is  obtained  (note:  you  can  choose  the  length 
of  the  key).  Prove  your  answer. 

Reconcile  this  with  the  attacks  that  were  shown  in  the  previous  chapter. 

2.5  Prove  or  refute:  Every  encryption  scheme  for  which  the  size  of  the  key 
space  equals  the  size  of  the  message  space,  and  for  which  the  key  is 
chosen  uniformly  from  the  key  space,  is  perfectly  secret. 

2.6  Say  encryption  scheme  (Gen,  Enc,  Dec)  satisfies  Definition  2.1  for  all  dis- 
tributions over  Ad  that  assign  non-zero  probability  to  each  m G Ad  (as 
per  the  simplifying  convention  used  in  this  chapter).  Show  that  the 
scheme  satisfies  the  definition  for  all  distributions  over  Ad  (i.e.,  includ- 
ing those  that  assign  zero  probability  to  some  messages  in  Ad).  Conclude 
that  the  scheme  is  also  perfectly  secret  for  any  message  space  Ad'  C Ad. 
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2.7  Prove  that  Definition  2.1  implies  Definition  2.4. 

Hint:  Use  Exercise  2.6  to  argue  that  perfect  secrecy  holds  for  the  uniform 
distribution  over  any  two  plaintexts  (and  in  particular,  the  two  messages 
output  by  A in  the  experiment).  Then  apply  Lemma  2.3. 

2.8  Prove  the  second  direction  of  Proposition  2.5.  That  is,  prove  that  Defi- 
nition 2.4  implies  Definition  2.1. 

Hint:  If  a scheme  11  is  not  perfectly  secret  with  respect  to  Definition  2.1, 
then  Lemma  2.3  shows  that  there  exist  messages  mo,  mi  € At  and  c £ C 
for  which  Pr[C  = c | M = mo]  Pr[C  = c | M = mi].  Use  these  mo 
and  mi  to  construct  an  A for  which  Pr[PrivK^''j^  = 1]  > i. 

2.9  Consider  the  following  definition  of  perfect  secrecy  for  the  encryption 
of  two  messages.  An  encryption  scheme  (Gen,  Enc,  Dec)  over  a message 
space  A4  is  perfectly-secret  for  two  messages  if  for  all  distributions  over 
jM,  all  m,  m'  € jM,  and  all  c^c'  eC  with  Pr[C  — c l\C  — d\  >0: 

Pr  [M  — m A M'  — m!  \ C — c A C — c']  — Pr[M  — m A M'  — m'], 

where  m and  m'  are  sampled  independently  from  the  same  distribution 
over  jM.  Prove  that  no  encryption  scheme  satisfies  this  definition. 

Hint:  Take  m m'  but  c — d. 

2.10  Consider  the  following  definition  of  perfect  secrecy  for  the  encryption 
of  two  messages.  Encryption  scheme  (Gen,  Enc,  Dec)  over  a message 
space  Ad  is  perfectly-secret  for  two  messages  if  for  all  distributions  over 
Ad,  all  m,m'  E Ad  with  m ^ m' , and  all  c, c'  E C with  c ^ c'  and 
Pr[C  = cAC'  = c']  >0: 

Pr[M  = m A M'  = m'  I C = c A C'  = c'] 

= Pr[M  = m A M' = m' I M M'], 

where  m and  m'  are  sampled  independently  from  the  same  distribution 
over  Ad.  Show  an  encryption  scheme  that  provably  satisfies  this  defi- 
nition. How  long  are  the  keys  compared  to  the  length  of  a message? 

" Hint:  The  encryption  scheme  you  propose  need  not  be  “efficient”. 

2.11  Prove  that  we  may  assume  that  the  key-generation  algorithm  Gen  always 
chooses  a key  uniformly  from  the  key  space  /C. 

Hint:  Let  /C  denote  the  set  of  all  possible  random  tapes  for  the  random- 
ized algorithm  Gen. 

2.12  Assume  that  we  require  only  that  an  encryption  scheme  (Gen,  Enc,  Dec) 
over  a message  space  Ad  satisfies  the  following:  for  all  m E Ad,  the 
probability  that  DeCfc(EnCfc(m))  = m is  at  least  2~^ . (This  probability 
is  taken  over  choice  of  k as  well  as  any  randomness  that  may  be  used 
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during  encryption  or  decryption.)  Show  that  perfect  secrecy  (as  in  Def- 
inition 2.1)  can  be  achieved  with  |/C|  < \Ai\  when  t>l.  Can  you  prove 
a lower  bound  on  the  required  size  of  /C? 

2.13  Prove  an  analogue  of  Theorem  2.7  for  the  case  of  “almost  perfect”  se- 
crecy. That  is,  let  £ < 1 be  a constant  and  say  we  only  require  that  for 
any  distribution  over  Ai,  any  m E Ai,  and  any  c G C; 

I Pr[M  — m \ C — c]  — Pr[M  = m]|  < e. 

Prove  a lower  bound  on  the  size  of  the  key  space  /C  relative  to  Ai  for 
any  encryption  scheme  that  meets  this  definition. 

Hint:  Consider  the  uniform  distribution  over  Ad  and  fix  a ciphertext  c. 

Then  show  that  for  a (1  — e)  fraction  of  the  messages  m G Ad,  there  must 
exist  a key  mapping  m to  c. 


Part  II 

Private-Key  (Symmetric) 
Cryptography 
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Chapter  3 


Private-Key  Encryption  and 
Pseudorandomness 


In  this  chapter,  we  will  study  the  notion  of  pseudorandomness  — the  idea 
that  things  can  “look”  completely  random  (in  a sense  we  precisely  define) 
even  though  they  are  not  — and  see  how  this  can  be  used  to  achieve  secure 
encryption  beating  the  bounds  of  the  previous  chapter.  Specifically,  we  will 
see  encryption  schemes  whereby  a short  key  (say,  some  hundreds  of  bits  long) 
can  be  used  to  securely  encrypt  many  long  messages  (say,  gigabytes  in  total) . 
Such  schemes  are  able  to  bypass  the  inherent  limitations  of  perfect  secrecy 
because  they  achieve  the  weaker  but  sufficient  notion  of  computational  secrecy. 
Before  commencing  our  discussion  of  private-key  encryption,  we  first  examine 
the  computational  approach  to  cryptography  in  general.  The  computational 
approach  will  bp  used  in  the  rest  of  the  book,  and  is  the  basis  of  modern 
cryptography. 


3.1  A Computational  Approach  to  Cryptography 

In  the  previous  two  chapters  we  have  studied  what  can  be  called  classical 
cryptography.  We  began  with  a brief  look  at  some  historical  ciphers,  with 
a focus  on  how  they  can  be  broken  and  what  can  be  learned  from  these 
attacks.  In  Chapter  2,  we  then  proceeded  to  present  cryptographic  schemes 
that  can  be  mathematically  proven  secure  (with  respect  to  some  particular 
definition  of  security),  even  when  the  adversary  has  unlimited  computational 
power.  Such  schemes  are  called  information-theoretically  secure,  or  perfectly 
secure,  because  their  security  is  due  to  the  fact  that  the  adversary  simply 
does  not  have  enough  “information”  to  succeed  in  its  attack,  regardless  of 
the  adversary’s  computational  power. ^ In  particular,  as  we  have  discussed, 
the  ciphertext  in  a perfectly-secret  encryption  scheme  does  not  contain  any 
information  about  the  plaintext  (assuming  the  key  is  unknown). 


^The  term  “information”  has  a rigorous,  mathematical  meaning,  but  we  use  it  here  in  an 
informal  manner. 
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Information- theoretic  security  stands  in  stark  contrast  to  computational  se- 
curity that  is  the  aim  of  most  modern  cryptographic  constructions.  Restrict- 
ing ourselves  to  the  case  of  private-key  encryption  (though  everything  we  say 
applies  more  generally),  modern  encryption  schemes  have  the  property  that 
they  can  be  broken  given  enough  time  and  computation,  and  so  they  do  not 
satisfy  Definition  2.1.  Nevertheless,  under  certain  assumptions,  the  amount  of 
computation  needed  to  break  these  encryption  schemes  would  take  more  than 
many  lifetimes  to  carry  out  even  using  the  fastest  available  supercomputers. 
For  all  practical  purposes,  this  level  of  security  suffices. 

Computational  security  is  weaker  than  information-theoretic  security.  It 
also  currently  relies  on  unproven  assumptions,  whereas  no  assumptions  are 
needed  to  achieve  the  latter.^  Even  granting  the  fact  that  computational 
security  suffices  for  all  practical  purposes,  why  do  we  give  up  on  the  idea  of 
achieving  perfect  security?  The  results  of  Section  2.3  give  one  reason  why 
modern  cryptography  has  taken  this  route.  In  that  section,  we  showed  that 
perfectly-secret  encryption  schemes  suffer  from  severe  lower  bounds  on  the 
key  length;  namely,  the  key  must  be  as  long  as  the  combined  length  of  all 
messages  ever  encrypted  using  this  key.  Similar  negative  results  hold  for  other 
cryptographic  tasks  when  information- theoretic  security  is  required.  Thus, 
despite  its  mathematical  appeal,  it  is  necessary  to  compromise  on  perfect 
security  in  order  to  obtain  practical  cryptographic  schemes.  We  stress  that 
although  we  cannot  obtain  perfect  security,  this  does  not  mean  that  we  do 
away  with  the  rigorous  mathematical  approach.  Rather,  definitions  and  proofs 
are  still  essential,  and  the  only  difference  is  that  now  we  consider  weaker,  but 
still  meaningful,  definitions  of  security. 

3.1.1  The  Basic  Idea  of  Computational  Security 

Kerckhoffs  is  best  known  for  his  principle  that  cryptographic  designs  should 
be  made  public.  However,  he  actually  spelled  out  six  principles,  the  following 
of  which  is  very  relevant  to  our  discussion  here: 

A [cipher]  must  be  practically,  if  not  mathematically,  indecipherable. 

Although  he  could  not  have  stated  it  in  this  way  at  the  time,  this  principle 
of  Kerckhoffs  essentially  says  that  it  is  not  necessary  to  use  a perfectly-secret 
encryption  scheme,  but  it  instead  suffices  to  use  a scheme  that  cannot  be 
broken  in  “reasonable  time”  with  any  “reasonable  probability  of  success”  (in 
Kerckhoffs’  language,  a scheme  that  is  “practically  indecipherable”).  In  more 
concrete  terms,  it  suffices  to  use  an  encryption  scheme  that  can  (in  theory)  be 


^In  theory,  it  is  possible  that  these  assumptions  might  one  day  be  removed.  Unfortunately, 
however,  our  current  state  of  knowledge  requires  us  to  make  assumptions  in  order  to  prove 
computational  security  of  any  cryptographic  construction.  For  those  familiar  with  the  V 
versus  MV  question  it  is  worth  noting  that  any  unconditional  proof  of  a computationally 
secure  cryptographic  construction  would  require,  in  particular,  proving  that  V A MV. 


Private-Key  Encryption  and  Pseudorandomness 


49 


broken,  but  that  cannot  be  broken  with  probability  better  than  in  200 

years  using  the  fastest  available  supercomputer.  In  this  section  we  present  a 
framework  for  making  formal  statements  about  cryptographic  schemes  that 
are  “practically  unbreakable” . 

The  computational  approach  incorporates  two  relaxations  of  the  notion  of 
perfect  security: 

1.  Security  is  only  preserved  against  efficient  adversaries  that  run  in  a fea- 
sible amount  of  time,  and 

2.  Adversaries  can  potentially  succeed  with  some  very  small  probability  (that 
is  small  enough  so  that  we  are  not  concerned  that  it  will  ever  really 
happen). 

To  obtain  a meaningful  theory,  we  need  to  precisely  define  what  is  meant 
by  the  above.  There  are  two  common  approaches  for  doing  so:  the  concrete 
approach  and  the  asymptotic  approach.  We  explain  these  now. 

The  concrete  approach.  The  concrete  approach  quantifies  the  security  of 
a given  cryptographic  scheme  by  explicitly  bounding  the  maximum  success 
probability  of  any  adversary  running  for  at  most  some  specified  amount  of 
time.  That  is,  let  t,e  be  positive  constants  with  e < 1,  Then  a concrete 
definition  of  security  would,  roughly  speaking,  take  the  following  form: 

A scheme  is  {t,  £)-secure  if  every  adversary  running  for  time  at 
most  t succeeds  in  breaking  the  scheme  with  probability  at  most  e. 

(Of  course,  the  above  serves  only  as  a general  template,  and  for  the  above 
statement  to  make  sense  we  need  to  define  exactly  what  it  means  to  “break” 
the  scheme.)  As  an  example,  one  might  want  to  use  a scheme  with  the  guaran- 
tee that  no  adversary rurniing  for  at  most  200  years  using  the  fastest  available 
supercomputer  can  succeed  in  breaking  the  scheme  with  probability  better 
than  Or,  it  may  be  more  convenient  to  measure  running  time  in  terms 

of  CPU  cycles,  and  to  use  a scheme  such  that  no  adversary  running  for  at 
most  2^*^  cycles  can  break  the  scheme  with  probability  better  than  2~®^. 

It  is  instructive  to  get  a feel  for  values  oi  t,e  that  are  typical  of  modern 
cryptographic  schemes. 

Example  3.1 

Modern  private-key  encryption  schemes  are  generally  assumed  to  give  almost 
optimal  security  in  the  following  sense:  when  the  key  has  length  n,  an  ad- 
versary running  in  time  t (measured  in,  say,  computer  cycles)  can  succeed  in 
breaking  the  scheme  with  probability  at  most  t/2'^.  (We  will  see  later  why 
this  is  indeed  optimal.)  Computation  on  the  order  of  t = 2®*^  is  barely  within 
reach  today.  Running  on  a iGHz  computer  (that  executes  10®  cycles  per  sec- 
ond), 2®®  CPU  cycles  require  2®®/10®  seconds,  or  about  35  years.  Using  many 
supercomputers  in  parallel  may  bring  this  down  to  a few  years. 
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A typical  value  for  the  key  length,  however,  might  be  n = 128.  The  differ- 
ence between  2®®  and  2^^®  is  a multiplicative  factor  of  2®®  which  is  a number 
containing  about  21  decimal  digits.  To  get  a feeling  for  how  big  this  is,  note 
that  according  to  physicists’  estimates  the  number  of  seconds  since  the  big 
bang  is  in  the  order  of  2®® . 

An  event  that  occurs  once  every  hundred  years  can  be  roughly  estimated 
to  occur  with  probability  2~^®  in  any  given  second.  Something  that  occurs 
with  probability  2“®°  in  any  given  second  is  2^®  times  less  likely,  and  might 
be  expected  to  occur  roughly  once  every  100  billion  years.  Thus  a prudent 
choice  of  parameters  would  he  t = 2^®  and  e = (implying  that  the  key 
must  be  at  least  128  bits  long).  -O 

The  concrete  approach  can  be  useful  in  practice,  since  concrete  guarantees 
of  the  above  type  are  typically  what  users  of  a cryptographic  scheme  are 
ultimately  interested  in.  However,  one  must  be  careful  in  interpreting  concrete 
security  guarantees.  As  one  example,  if  it  is  claimed  that  no  adversary  running 
for  5 years  can  break  a given  scheme  with  probability  better  than  e,  we  still 
must  ask:  what  type  of  computing  power  (e.g.,  desktop  PC,  supercomputer, 
network  of  hundreds  of^ computers)  does  this  assume?  Does  this  take  into 
account  future  advances  in  computing  power  (which,  by  Moore’s  Law,  roughly 
doubles  every  18  months)?  Does  this  assume  “off-the-shelf”  algorithms  will 
be  used  or  dedicated  software  optimized  for  the  attack?  Furthermore,  such 
a guarantee  says  little  about  the  success  probability  of  an  adversary  running 
for  2 years  (other  than  the  fact  that  it  can  be  at  most  e)  and  says  nothing 
about  the  success  probability  of  an  adversary  running  for  10  years. 

When  using  the  concrete  security  approach,  schemes  can  be  {t,  e)-secure 
but  never  just  secure.  More  to  the  point,  for  what  ranges  of  i,  e:  should  we  say 
that  a (L£)-secure  scheme  is  “secure”?  There  is  no  clear  answer  to  this,  as  a 
security  guarantee  that  may  suffice  for  the  average  user  may  not  suffice  when 
encrypting  classified  government  documents. 

The  asymptotic  approach.  The  asymptotic  approach  is  the  one  we  will 
take  in  this  book.  This  approach,  rooted  in  complexity  theory,  views  the 
running  time  of  the  adversary  as  well  as  its  success  probability  as  functions 
of  some  parameter  rather  than  as  concrete  numbers.  Specifically,  a crypto- 
graphic scheme  will  incorporate  a security  parameter  which  is  an  integer  n. 
When  honest  parties  initialize  the  scheme  (i.e.,  when  they  generate  keys), 
they  choose  some  value  n for  the  security  parameter;  this  value  is  assumed  to 
be  known  to  any  adversary  attacking  the  scheme.  The  running  time  of  the  ad- 
versary (and  the  running  time  of  the  honest  parties)  as  well  as  the  adversary’s 
success  probability  are  all  viewed  as  functions  of  n.  Then: 

1.  We  equate  the  notion  of  “feasible  strategies”  or  “efficient  algorithms” 
with  probabilistic  algorithms  running  in  time  polynomial  in  n.  (We 
sometimes  use  ppt  to  stand  for  probabilistic  polynomial-time.)  This 
means  that  for  some  constants  a,  c the  algorithm  runs  in  time  a • on 
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security  parameter  n.  We  require  that  honest  parties  run  in  polyno- 
mial time,  and  will  only  be  concerned  with  achieving  security  against 
polynomial-time  adversaries.  We  stress  that  the  adversary,  though  re- 
quired to  run  in  polynomial  time,  may  be  much  more  powerful  (arid  run 
much  longer)  than  the  honest  parties.  Furthermore,  adversarial  strate- 
gies that  require  a super-polynomial  amount  of  time  are  not  considered 
realistic  threats  (and  so  are  essentially  ignored). 

2.  We  equate  the  notion  of  “small  probability  of  success”  with  success 
probabilities  smaller  than  any  inverse  polynomial  in  n,  meaning  that 
for  every  constant  c the  adversary’s  success  probability  is  smaller  than 
n~^  for  large  enough  values  of  n (see  Definition  3.4).  A function  that 
grows  slower  than  any  inverse  polynomial  is  called  negligible. 

A definition  of  asymptotic  security  thus  takes  the  following  general  form: 

A scheme  is  secure  if  every  ppt  adversary  succeeds  in  breaking  the 
scheme  with  only  negligible  probability. 

Although  very  clean  from  a theoretical  point  of  view  (since  we  can  actually 
speak  of  a scheme  being  secure  or  not),  it  is  important  to  understand  that  the 
asymptotic  approach  only  “guarantees  security”  for  large  enough  values  of  n, 
as  the  following  example  should  make  clear. 

Example  3.2 

Say  we  have  a scheme  that  is  secure.  Then  it  may  be  the  case  that  an  adversary 
running  for  minutes  can  succeed  in  “breaking  the  scheme”  with  probability 
240 .2“”  (which  is  a negligible  function  of  n).  When  n < 40  this  means  that 
an  adversary  running  for  40^  minutes  (about  fi  weeks)  can  -break  the  -scheme 
with  probability  1,  so  such  values  of  n are  not  going  to  be  very  useful.  Even 
for  n = 50  an  adversary  running  for  50^  minutes  (about  3 months)  can  break 
the  scheme  with  probability  roughly  1/1000,  which  may  not.be  acceptable. 
On  the  other  hand,  when  n = 500  an  adversary  running  for  more  than  200 
years  breaks  the  scheme  only  with  probability  roughly  <0 

As  indicated  by  the  previous  example,  we  can  view  a larger  security  param- 
eter as  providing  a “greater”  level  of  security.  For  the  most  part,  the  security 
parameter  determines  the  length  of  the  key  used  by  the  honest  parties,  and  we 
thus  have  the  familiar  concept  that  the  longer  the  key,  the  higher  the  security. 
The  ability  to  “increase  security”  by  taking  a larger  value  for  the  security 
parameter  has  important  practical  ramifications,  since  it  enables  honest  par- 
ties to  defend  against  increases  in  computing  power  as  well  as  algorithmic 
advances.  The  following  example  gives  a sense  of  how  this  might  play  out  in 
practice. 
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Example  3.3 

Let  us  see  the  effect  that  the  availability  of  faster  computers  might  have  on 
security  in  practice.  Say  we  have  a cryptographic  scheme  where  honest  parties 
are  required  to  run  for  10®  -n^  cycles,  and  for  which  an  adversary  running  for 
10®  -n^  cycles  can  succeed  in  “breaking”  the  scheme  with  probability  2^®  •2~”. 
(The  numbers  in  this  example  are  designed  to  make  calculations  easier,  and 
are  not  meant  to  correspond  to  any  existing  cryptographic  scheme.) 

Say  ail  parties  are  using  a iGhz  computer  and  n = 50.  Then  honest  parties 
run  for  10®  • 2500  cycles,  or  2.5  seconds,  and  an  adversary  running  for  10®  • (50)“^ 
cycles,  or  roughly  1 week,  can  break  the  scheme  with  probability  only  2“®®. 

Now  say  a 16Ghz  computer  becomes  available,  and  all  parties  upgrade. 
Honest  parties  can  increase  n to  100  (which  requires  generating  a fresh  key) 
and  still  improve  their  running  time  to  0.625  seconds  (i.e.,  10®  - 100^  cycles 
at  16  • 10®  cycles/second).  In  contrast,  the  adversary  now  has  to  run  for  10^ 
seconds,  or  more  than  16  weeks,  to  achieve  success  probability  2“®®.  The 
effect  of  a faster  computer  has  been  to  make  the  adversary’s  job  harder.  <0 

The  asymptotic  approach  has  the  advantage  of  not  depending  on  any  spe- 
cific assumptions  regarding,  e.g.,  the  type  of  computer  an  adversary  uses  (this 
is  a consequence  of  the  Church- Turing  thesis  from  complexity  theory,  which 
basically  states  that  the  relative  speeds  of  all  sufficiently-powerful  computing 
devices  are  polynomially  related).  On  the  other  hand,  as  the  above  exam- 
ples demonstrate,  it  is  necessary  in  practice  to  understand  exactly  what  level 
of  concrete  security  is  implied  by  a particular  asymptotically- secure  scheme. 
This  is  because  the  honest  parties  must  pick  a concrete  value  of  n to  use,  and 
so  cannot  rely  on  assurances  of  what  happens  “for  large  enough  values  of  n” . 
The  task  of  determining  the  value  of  the  security  parameter  to  use  is  complex 
and  depends  on  the  scheme  in  question  as  well  as  other  considerations.  For- 
tunately, it  is  usually  relatively  easy  to  translate  a guarantee  of  asymptotic 
security  into  a concrete  security  guarantee. 

Prom  here  on,  we  use  the  asymptotic  approach  only.  Nevertheless,  as  the 
above  example  shows,  all  the  results  in  this  book  can  be  cast  as  concrete 
security  results  as  well.  a . 

A technical  remark.  As  we  have  mentioned,  we  view  the  running  time  of 
the  adversary  and  the  honest  parties  as  a function  of  n.  To  be  consistent 
with  the  standard  convention  in  algorithms  and  complexity  theory,  where  the 
running  time  of  an  algorithm  is  measured  as  a function  of  the  length  of  its 
input,  we  will  provide  the  adversary  and  the  honest  parties  with  the  security 
parameter  in  unary  as  1”  (i.e.,  a string  of  n I’s)  when  necessary. 
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Necessity  of  the  Relaxations 

As  we  have  seen,  computational  security  introduces  two  relaxations  of  the 
notion  of  perfect  security:  first,  security  is  guaranteed  only  against  efficient 
(i.e.,  polynomial-time)  adversaries;  second,  a small  (i.e.,  negligible)  probability 
of  success  is  allowed.  Both  of  these  relaxations  are  essential  for  achieving 
practical  cryptographic  schemes,  and  in  particular  for  bypassing  the  negative 
results  for  perfectly-secret  encryption.  We  will  now  informally  discuss  why 
this  is  the  case.  Assume  we  have  an  encryption  scheme  where  the  size  of  the 
key  space  JC  is  much  smaller  than  the  size  of  the  message  space  A4  (which,  as 
we  saw  in  the  previous  chapter,  means  that  the  scheme  cannot  be  perfectly 
secret).  Two  attacks,  lying  at  opposite  extremes,  apply  regardless  of  how  the 
encryption  scheme  is  constructed: 

• Given  a ciphertext  c,  an  adversary  can  decrypt  c using  all  keys  /c  G /C. 
This  gives  a list  of  all  possible  messages  to  which  c can  possibly  corre- 
spond. Since  this  list  cannot  contain  all  of  Ad  (because  |/C|  < |Ad|),  this 
leaks  some  information  about  the  message  that  was  encrypted. 

Moreover,  say  the  adversary  carries  out  a known-plaintext  attack  and 
learns  that  ciphertexts  ci , . . . , q correspond  to  the  messages  mi, , me, 
respectively.  The  adversary  can  again  try  decrypting  each  of  these  ci- 
phertexts with  all  possible  keys  until  it  finds  a key  k for  which  Decfc(ct)  = 
mi  for  all  i.  This  key  will  be  unique  with  high  probability,  in  which  case 
the  adversary  has  found  the  key  that  the  honest  parties  are  using. ^ 
Subsequent  usage  of  this  key  will  therefore  be  insecure. 

The  type  of  attack  is  known  as  brute-force  search  and  allows  the  adver- 
sary to  succeed  with  probability  essentially  1 in  time  linear  in  |/C|. 

• Consider  again  the  case  where  the  adversary  learns  that  ciphertexts 
ci,...,c^  correspond  to  the  messages  m\, . . . ,me-  The  adversary  can 
guess  a key  A:  G /C  at  random  and  check  to  see  whether  Decfc(cj)  = mi 
for  all  i.  If  so,  we  again  expect  that  with  high  probability  k is  the  key 
that  the  honest  parties  are  using. 

Here  the  adversary  runs  in  essentially  constant  time  and  succeeds  with 
non-zero  (although  very  small)  probability  of  roughly  l/j/C]. 

It  follows  that  if  we  wish  to  encrypt  many  messages  using  a single  short  key, 
security  can  only  be  achieved  if  we  limit  the  running  time  of  the  adversary  (so 
that  the  adversary  does  not  have  time  to  carry  out  a brute-force  search)  and 
also  allow  a very  small  probability  of  success  without  considering  it  a break 
(so  that  the  second  “attack”  is  ruled  out).  Thus,  both  of  the  aforementioned 


^Technically  speaking,  the  key  may  not  actually  be  unique  (for  example,  the  same  key  may 
be  represented  by  more  than  one  string).  Nevertheless,  if  this  is  the  case  then  an  equivalent 
key  will  be  found,  yielding  the  same  effect. 
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relaxations  are  essential.  We  remark  that  an  additional  consequence  of  the 
above  discussion  is  that  the  keyspace  in  any  secure  encryption  scheme  must  be 
large  enough  so  that  the  adversary  cannot  traverse  it.  Stated  more  formally, 
the  size  of  the  keyspace  must  be  super-polynomial  in  the  security  parameter. 

3.1.2  Efficient  Algorithms  and  Negligible  Success 

In  the  previous  section  we  have  outlined  the  approach  of  asymptotic  security 
that  we  will  be  taking  in  this  book.  Students  who  have  not  had  significant 
prior  exposure  to  algorithms  or  complexity  theory  may  not  be  comfortable 
with  the  notions  of  “polynomial-time  algorithms” , “probabilistic  (or  random- 
ized) algorithms” , or  “negligible  probabilities” , and  often  find  the  asymptotic 
approach  confusing.  In  this  section  we  revisit  the  asymptotic  approach  in 
more  detail,  and  slightly  more  formally.  Students  who  are  already  comfort- 
able with  what  was  described  in  the  previous  section  are  welcome  to  skip 
ahead  to  Section  3.1.3  and  refer  back  here  as  needed. 

Efficient  Computation 

We  have  defined  efficient  computation  as  that  which  can  be  carried  out  in 
probabilistic  polynomial  time  (sometimes  abbreviated  ppt).  An  algorithm  A 
is  said  to  run  in  polynomial  time  if  there  exists  a polynomial  p(-)  such  that, 
for  every  input  x G {0, 1}*,  the  computation  of  A{x)  terminates  within  at 
most  p(|a;|)  steps  (here,  |ar|  denotes  the  length  of  the  string  x).  A proba- 
bilistic algorithm  is  one  that  has  the  capability  of  “tossing  coins”;  this  is  a 
metaphorical  way  of  saying  that  the  algorithm  has  access  to  a source  of  ran- 
domness that  yields  unbiased  random  bits  that  are  each  independently  equal 
to  1 with  probability  ^ and  to  0 with  probability  Equivalently,  we  can 
view  a randomized  algorithm  as  one  which  is  given,  in  addition  to  its  input, 
a uniformly-distributed  bit-string  of  “adequate  length”  on  a special  random 
tape.  When  considering  a probabilistic  polynomial-time  algorithm  with  run- 
ning time  p and  an  input  of  length  n,  a random  string  of  length  p{n)  will 
certainly  be  adequate  as  the  algorithm  can  only  use  p{n)  random  bits  within 
the  allotted  time. 

Those  familiar  with  complexity  theory  or  algorithms  will  recognize  that  the 
idea  of  equating  efficient  computation  with  (probabilistic)  polynomial-time  . 
computation  is  not  unique  to  cryptography.  The  primary  advantage  of  work- 
ing with  (probabilistic)  polynomial-time  algorithms  is  that  this  gives  a class  of 
algorithms  that  is  closed  under  composition,  meaning  that  a polynomial- time 
algorithm  A that  runs  another  polynomial-time  algorithm  A'  as  a sub-routine 
will  also  run  in  polynomial-time.  Other  than  this  useful  fact,  there  is  nothing 
inherently  special  about  restricting  adversaries  to  run  in  polynomial  time,  and 
essentially  all  the  results  we  will  see  in  this  book  could  also  be  formulated  in 
terms  of  adversaries  running  in,  say,  time  (with  honest  parties  still 

running  in  polynomial  time). 
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Before  proceeding,  we  address  the  question  of  why  we  consider  probabilistic 
polynomial-time  algorithms  rather  than  just  deterministic  polynomial-time 
ones.  There  are  two  main  answers  for  this.  First,  randomness  is  essential  to 
cryptography  (e.g.,  in  order  to  choose  random  keys  and  so  on)  and  so  honest 
parties  must  be  probabilistic.  Given  that  this  is  the  case,  it  is  natural  to 
consider  adversaries  that  are  probabilistic  as  well.  A second  reason  for  con- 
sidering probabilistic  algorithms  is  that  the  ability  to  toss  coins  may  provide 
additional  power.  Since  we  use  the  notion  of  efficient  computation  to  model 
realistic  adversaries,  it  is  important  to  make  this  class  as  large  as  possible 
(while  still  being  realistic). 

As  an  aside,  we  mention  that  the  question  of  whether  or  not  probabilistic 
polynomial-time  adversaries  are  more  powerful  than  deterministic  polynomial- 
time adversaries  is  unresolved.  In  fact,  recent  results  in  complexity  theory  in- 
dicate that  randomness  does  not  help.  Nevertheless,  it  does  not  hurt  to  model 
adversaries  as  probabilistic  algorithms,  and  this  can  only  provide  stronger 
guarantees  — that  is,  any  scheme  secure  against  probabilistic  polynomial- 
time adversaries  is  certainly  secure  against  deterministic  polynomial-time  ad- 
versaries as  well. 

Generating  randomness.  We  have  modeled  all  parties  as  probabilistic 
polynomial-time  algorithms  because,  as  we  have  mentioned,  cryptography  is 
only  possible-if  randomness  is  available.  (If  secret  keys  cannot  be  generated  at 
random,  then  an  adversary  can  follow  the  same  procedure  used  by  the  honest 
parties  to  obtain  their  “secret  key” . Recall  that  by  Kerckhoffs’  principle,  we 
assume  that  this  procedure  is  known.)  Given  this,  one  may  wonder  whether 
it  is  possible  to  actually  “toss  coins”  on  a computer  and  achieve  probabilistic 
computation. 

There  are  a number  of  ways  “random  bits”  are  obtained  in  practice.  One 
solution  is  to  use  hardware  random  number  generators  that  generate  random 
bit-streams  based  on  certain  physical  phenomena  like  thermal/electrical  noise 
or  radioactive  decay.  Another  possibility  is  to  use  software  random  number 
generators  which  generate  random  bit-streams  based  on  unpredictable  behav- 
ior such  as  the  time  between  key-strokes,  movement  of  the  mouse,  hard  disk 
access  times,  and  so  on.  Some  modern  operating  systems  provide  functions  of 
this  sort.  In  both  of  these  cases,  the  underlying  unpredictable  event  (whether 
natural  or  user -dependent)  is  unlikely  to  directly  yield  uniformly-distributed 
bits,  and  so  further  processing  of  the  initial  bit-stream  is  needed.  Techniques 
for  doing  this  are  complex  yet  generally  poorly  understood,  and  are  outside 
the  scope  of  this  text. 

One  must  be  careful  in  how  random  bits  are  chosen,  and  the  use  of  badly- 
designed  or  inappropriate  random  number  generators  can  often  leave  a good 
cryptosystem  vulnerable  to  attack.  Particular  care  must  be  taken  to  use  a 
random  number  generator  that  is  designed  for  cryptographic  use,  rather  than 
a “general-purpose”  random  number  generator  which  may  be  fine  for  some 
applications  but  not  cryptographic^ ones.  As  one  specific  example,  using  the 
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random  ()  function  in  the  C programming  language  is  a bad  idea  since  it  is 
not  very  random  at  all.  Likewise,  the  current  time  (even  to  the  millisecond) 
is  not  very  random  and  cannot  serve  as  the  basis  for  a secret  key. 

Negligible  Success  Probability 

Modern  cryptography  allows  schemes  that  can  be  broken  with  very  small 
probability  to  still  be  considered  “secure” . In  the  same  way  that  we  consider 
polynomial  running  times  to  be  feasible,  we  consider  inverse-polynomial  prob- 
abilities to  be  significant.  Thus,  if  an  adversary  could  succeed  in  breaking  a 
scheme  with  probability  l/p(n)  for  some  (positive)  polynomial  p,  then  the 
scheme  would  not  be  considered  secure.  However,  if  the  probability  that  the 
scheme  can  be  broken  is  asymptotically  smaller  than  l/p(n)  for  every  poly- 
nomial p,  then  we  consider  the  scheme  to  be  secure.  This  is  due  to  the  fact 
that  the  probability  of  adversarial  success  is  so  small  that  it  is  considered 
uninteresting.  We  call  such  probabilities  of  success  negligible,  and  have  the 
following  definition. 

DEFINITION  3.4  A function  f is  negligible  if  for  every  polynomial  p(-) 
there  exists  an  N such  that  for  all  integers  n > N it  holds  that  f(n)  < 

An  equivalent  formulation  of  the  above  is  to  require  that  for  all  constants 
c there  exists  an  N such  that  for  all  n > A”  it  holds  that  f{n)  < n~^.  For 
shorthand,  the  above  is  also  stated  as  follows:  for  every  polynomial  p(-)  and 
all  sufficiently  large  values  of  n it  holds  that  f{n)  < — (~j-  This  is,  of  course, 
the  same.  We  typically  denote  an  arbitrary  negligible  function  by  negl. 

Example  3.5 

The  functions  2~'^,and  are  all  negligible.  However,  they  ap- 

proach zero  at  very  different  rates.  In  order  to  see  this,  we  will  show  for  what 
values  of  n each  function  is  smaller  than  10“®: 

1.  2^®  = 1048576  and  thus  for  n > 20  we  have  that  2“”  < 10“®. 

2.  = 1048576  and  thus  for  n > 400  we  have  that  2~^  < 10“®. 

3.  32®  = 33554432  and  thus  for  n > 32  we  have  that  < 10“®. 

Prom  the  above  you  may  have  the  impression  that  approaches  zero 

more  quickly  than  2“^.  However  this  is  incorrect;  for  all  n > 65536  it  holds 
that  2-^  < n Nevertheless,  this  does  show  that  for  values  of  n in 

the  hundreds  or  thousands,  an  adversarial  success  probability  of  is 

preferable  to  an  adversarial  success  probability  of  2~  0 

A technical  advantage  of  working  with  negligible  success  probabilities  is  that 
they  also  obey  certain  closure  properties.  The  following  is  an  easy  exercise. 
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PROPOSITION  3.6  Let  negl^  and  negl2  be  negligible  functions.  Then, 

1.  The  function  negig  defined  by  neglg(n)  = negli(n)  + negl2(n)  is  negligible. 

2.  For  any  positive  polynomial  p,  the  function  negl4  defined  by  negl4(n)  = 
p{n)  ■ negl]^(n)  is  negligible. 

The  second  part  of  the  above  proposition  implies  that  if  a certain  event 
occurs  with  only  negligible  probability  in  a certain  experiment,  then  the 
event  occurs  with  negligible  probability  even  if  the  experiment  is  repeated 
polynomially-many  times.  For  example,  the  probability  that  n coin  flips 
all  come  up  “heads”  is  negligible.  This  means  that  even  if  we  flip  n coins 
polynomially-many  times,  the  probability  that  any  of  these  trials  resulted  in 
n heads  is  still  negligible.  (Formally  this  is  proven  using  the  union  bound, 
stated  in  Proposition  A.  7.) 

It  is  important  to  understand  that  events  that  occur  with  negligible  proba- 
bility can  be  safely  ignored  for  all  practical  purposes  (at  least  for  large  enough 
values  of  n).  This  is  important  enough  to  repeat  and  highlight: 

Events  that  occur  with  negligible  probability  are  so  unlikely  to  oc- 
cur that  they  can  be  ignored  for  all  practical  purposes.  Therefore, 
a break  of  a cryptographic  scheme  that  occurs  with  negligible  prob- 
ability is  not  significant. 

Lest  you  feel  uncomfortable  with  the  fact  that  an  adversary  can  break  a 
given  scheme  with  some  tiny  (but  non-zero)  probability,  note  that  with  some 
tiny  (but  non-zero)  probability  the  honest  parties  will  be  hit  by  an  asteroid 
while  executing  the  scheme!  More  benign,  but  making  the  same  point:  with 
some  non-zero  probability  the  hard  drive  of  one  of  the  honest  parties  will  fail, 
thus  erasing  the  secret  key.  Thus  it  simply  does  not  make  sense  to  worry 
about  events  that  occur  with  sufficiently  small  probability. 

Asymptotic  Security:  A Summary 

Any  security  definition  consists  of  two  parts:  a definition  of  what  is  con- 
sidered a “break”  of  the  scheme,  and  a specification  of  the  power  of  the  ad- 
versary. The  power  of  the  adversary  can  relate  to  many  issues  (e.g.,  in  the 
case  of  encryption,  whether  we  assume  a ciphertext-only  attack  or  a chosen- 
plaintext  attack).  However,  when  it  comes  to  the  computational  power  of  the 
adversary,  we  will  from  now  on  model  the  adversary  as  efficient  and  thus  prob- 
abilistic polynomial-time  (meaning  that  only  “feasible”  adversarial  strategies 
are  considered).  Definitions  will  also  always  be  formulated  so  that  a break 
that  occurs  with  negligible  probability  is  not  considered  significant.  Thus,  the 
general  framework  of  any  security  definition  will  be  as  follows: 
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A scheme  is  secure  if  for  every  probabilistic  polynomial-time  ad- 
versary A carrying  out  an  attack  of  some  specified  type,  the  prob- 
ability that  A succeeds  in  this  attack  (where  success  is  also  well- 
defined)  is  negligible. 

Such  a definition  is  asymptotic  because  it  is  possible  that  for  small  values  of  n 
an  adversary  can  succeed  with  high  probability.  In  order  to  see  this  in  more 
detail,  we  will  use  the  full  definition  of  “negligible”  in  the  above  statement; 

A scheme  is  secure  if  for  every  probabilistic  polynomial-time  ad- 
versary A carrying  out  an  attack  of  some  specified  type,  and  for 
every  polynomial  p{-),  there  exists  an  integer  N such  that  the 
probability  that  A succeeds  in  this  attack  is  less  than  for 
every  n > N. 

Note  that  nothing  is  guaranteed  for  values  n < N. 

3.1.3  Proofs  by  Reduction 

As  we  have  seen,  a cryptographic  scheme  that  is  computationally  secure 
(but  not  perfectly  secure)  can  always  be  broken  given  enough  time.  To  prove 
unconditionally  that  some  scheme  is  computationally  secure  would  thus  re- 
quire proving  a lower  bound  on  the  time  needed  to  break  the  scheme.  Specif- 
ically, it  would  be  necessary  to  prove  that  the  scheme  cannot  be  broken  by 
any  polynomial-time  algorithm.  Unfortunately,  the  current  state  of  affairs 
is  such  that  we  are  unable  to  prove  lower  bounds  of  this  type.  In  fact,  an 
unconditional  proof  of  security  for  any  modern  encryption  scheme  would  re- 
quire breakthrough  results  in  complexity  theory  that  seem  far  out  of  reach 
today."*  This  might  seem  to  leave  us  with  no  choice  but  to  simply  assume  that 
a given  scheme  is  secure.  As  discussed  in  Section  1.4,  however,  this  is  a very 
undesirable  approach  and  one  that  history  has  taught  us  is  very  dangerous. 

Instead  of  blithely  assuming  that  a given  cryptographic  construction  is  se- 
cure, our  strategy  instead  will  be  to  assume  that  some  low-level  problem  is 
hard  to  solve,  and  then  to  prove  that  the  construction  in  question  is  secure 
under  this  assumption.  In  Section  1.4.2  we  have  already  explained  in  great 
detail  why  this  approach  is  preferable  so  we  do  not  repeat  those  arguments 
here. 

The  proof  that  a given  cryptographic  construction  is  secure  as  long  as  some 
underlying  problem  is  hard  generally  proceeds  by  presenting  an  explicit  re- 
duction showing  how  to  convert  any  efficient  adversary  A that  succeeds  in 
“breaking”  the  construction  with  non-negligible  probability  into  an  efficient 
algorithm  A'  that  succeeds  in  solving  the  problem  that  was  assumed  to  be 


^For  those  familiar  with  the  V versus  MV  question,  we  remark  that  an  unconditional  proof 
of  security  for  any  encryption  scheme  in  which  messages  are  longer  than  the  key  would 
imply  a proof  that  V ^ MV. 
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Reduction  A. 

Instance  X of 

problem  X 

scheme  n 

...  ' * ' 

A 

“Break” 

Solution  to  X 

FIGURE  3.1:  A high-level  overview  of  a security  proof  by  reduction. 

hard.  (In  fact,  this  is  the  only  sort  of  proof  we  use  in  this  book.)  Since  this 
is  so  important,  we  walk  through  a high-level  outline  of  the  steps  of  such  a 
proof  in  detail.  We  begin  with  an  assumption  that  some  problem  X cannot 
be  solved  (in  some  precisely- defined  sense)  by  any  polynomial- time  algorithm 
except  with  negligible  probability.  We  want  to  prove  that  some  cryptographic 
construction  II  is  secure  (again,  in  some  sense  that  is  precisely  defined).  To 
do  this: 

1.  Fix  some  efficient  (i.e.,  probabilistic  polynomial- time)  adversary  A at- 
tacking n.  Denote  this  adversary’s  success  probability  by  e{n). 

2.  Construct  an  efficient  algorithm  A' , called  the  “reduction”  that  attempts 
to  solve  problem  X using  adversary  ^ as  a sub-routine.  An  important 
point  here  is  that  A'  knows  nothing  about  “how”  A works;  the  only 
thing  A'  knows  is  that  A is  expecting  to  attack  II.  So,  given  some 
input  instance  x of  problem  X,  our  algorithm  A'  will  simulate  for  A an 
instance  of  II  such  that: 

(a)  As  far  as  A can  tell,  it  is  interacting  with  II.  More  formally,  the 
view  of  A when  it  is  run  as  a sub-routine  by  A'  should  be  dis- 
tributed identically  to  (or  at  least  close  to)  the  view  of  A when  it 
interacts  with  II  itself. 

(b)  If  A succeeds  in  “breaking”  the  instance  of  II  that  is  being  sim- 
ulated by  A\  this  should  allow  A'  to  solve  the  instance  x it  was 
given,  at  least  with  inverse  polynomial  probability  l/p(n). 

3.  Taken  together,  2(a)  and  2(b)  imply  that  if  s{n)  is  not  negligible,  then 
A'  solves  problem  X with  non- negligible  probability  e{n)/p{n).  Since 
A'  is  efficient,  and  runs  the  ppt  adversary  ^ as  a sub- routine,  this 
implies  an  efficient  algorithm  solving  X with  non-negligible  probability, 
contradicting  the  initial  assumption. 
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4.  We  conclude  that,  given  the  assumption  regarding  X,  no  efficient  adver- 
sary A can  succeed  in  breaking  II  with  probability  that  is  not  negligible. 
Stated  differently,  II  is  computationally  secure. 

This  will  become  more  clear  when  we  see  examples  of  such  proofs  in  the 
sections  that  follow. 


3.2  Defining  Computationally-Secure  Encryption 

Given  the  background  of  the  previous  section,  we  are  ready  to  present  a 
definition  of  computational  security  for  private-key  encryption.  First,  we  re- 
define the  syntax  of  private-key  encryption;  this  will  essentially  be  the  same 
as  the  syntax  introduced  in  Chapter  2 except  that  we  will  now  explicitly  take 
into  account  the  security  parameter.  We  will  also  now  let  the  message  space 
be,  by  default,  the  set  {0,  1}*  of  all  (finite-length)  binary  strings. 

DEFINITION  3.7  A private-key  encryption  scheme  is  a tuple  of  proba- 
bilistic polynomial-time  algorithms  (Gen,  Enc,  Dec)  such  that: 

1.  The  key-generation  algorithm  Gen  takes  as  input  the  security  parameter 
!”■  and  outputs  a key  k;  we  write  this  as  k <—  Gen(l”')  {thus  emphasizing 
the  fact  that  Gen  is  a randomized  algorithm).  We  will  assume  without 
loss  of  generality  that  any  key  k output  by  Gen(l”')  satisfies  |A:|  > n. 

2.  The  encryption  algorithm  Enc  takes  as  input  a key  k and  a plaintext 
message  m G {0,1}*,  and  outputs  a ciphertext  c.^  Since  Enc  may  be 
randomized,  we  write  this  as  c Encfc(m)  . 

3.  The  decryption  algorithm  Dec  takes  as  input  a key  k and  a ciphertext  c, 
and  outputs  a message  m.  We  assume  that  Dec  is  deterministic,  and  so 
write  this  as-m  ;=  Decfc(c). 

It  is  required  that  for  every  n,  every  key  k output  by  Gen  (!”■),  and  every 
m G {0,1}*,  it  holds  that  DeCfc(EnCfc(m))  = m.® 

If  (Gen,  Enc,  Dec)  is  such  that  for  k output  by  Gen(l”),  algorithm  Enck  is 
only  defined  for  messages  m G {0,1}^*-”^,  then  we  say  that  (Gen,  Enc,  Dec)  is 
a fixed-length  private-key  encryption  scheme  for  messages  of  length  £{n). 


^As  a technical  condition,  Enc  is  allowed  to  run  in  time  polynomial  in  |fe|  + \m\  (i.e.,  the 
total  length  of  its  inputs).  If  we  only  included  |m|  then  encrypting  a single  bit  would  not 
take  polynomial  time,  and  if  we  only  included  |fe|  then  we  would  have  to  a priori  bound  the 
length  of  messages  m that  could  be  encrypted.  Although  needed,  this  technicality  can  be 
ignored  from  here  on. 

®Given  this,  our  assumption  that  Dec  is  deterministic  is  without  loss  of  generality. 
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We  remark  that  it  is  almost  always  the  case  in  this  chapter  and  the  next 
that  Gen(l”)  chooses  k ■«—  {0, 1}”  uniformly  at  random. 

3.2.1  The  Basic  Definition  of  Security 

There  are  a number  of  standard  ways  of  defining  security  for  private-key 
encryption,  with  the  main  differences  relating  to  the  assumed  power  of  the  ad- 
versary in  its  attack.  We  begin  by  presenting  the  most  basic  notion  of  security 
— security  against  a weak  form  of  ciphertext-only  attack  where  the  adver- 
sary only  observes  a single  ciphertext  — and  consider  stronger  definitions  of 
security  later  in  the  chapter. 

Motivating  the  definition.  As  discussed  in  Chapter  1,  any  definition  of 
security  consists  of  two  distinct  components:  a specification  of  the  assumed 
power  of  the  adversary,  and  a description  of  what  constitutes  a “break”  of  the 
scheme.  We  begin  our  definitional  treatment  by  considering  the  case  of  an 
eavesdropping  adversary  who  observes  the  encryption  of  a single  message  or, 
equivalently,  is  given  a single  ciphertext  that  it  wishes  to  “crack”.  This  is  a 
rather  weak  class  of  adversaries,  but  is  exactly  the  type  of  adversary  that  was 
considered  in  the  previous  chapter  (we  will  encounter  stronger  adversaries 
later  in  the  chapter).  Of  course,  as  explained  in  the  previous  section,  we 
are  now  interested  only  in  adversaries  that  are  computationally  bounded  and 
limited  to  running  in  polynomial  time. 

Although  we  have  made  two  substantial  assumptions  about  the  adversary’s 
capabilities  (i.e.,  that  it  only  eavesdrops,  and  that  it  runs  in  polynomial  time), 
we  make  no  assumptions  whatsoever  about  the  adversary’s  strategy.  This  is 
crucial  for  obtaining  meaningful  notions  of  security  because  it  is  impossible 
to  predict  all  possible  strategies.  We  therefore  protect  against  all  strategies 
that  can  be  carried  out  by  adversaries  within  the  class  we  have  defined. 

Defining  the  “break”  for  encryption  is  not  trivial,  but  we  have  already  dis- 
cussed this  issue  at  length  in  Section  1.4.1  and  in  the  previous  chapter.  We 
therefore  just  recall  that  the  idea  behind  the  definition  is  that  the  adversary 
should  be  unable  to  learn  any  partial  information  about  the  plaintext  from  the 
ciphertext.  The  definition  of  semantic  security  directly  formalizes  exactly  this 
notion,  and  was  the  first  definition  of  security  for  encryption  to  be  proposed. 
Unfortunately,  the  definition  of  semantic  security  is  complex  and  difficult  to 
work  with.  Fortunately,  there  is  an  equivalent  definition  in  terms  of  indis- 
tinguishability  which  is  much  simpler.  Since  the  definitions  are  equivalent, 
we  can  work  with  the  simpler  definition  of  indistinguishability  while  being 
convinced  that  the  security  guarantees  we  obtain  are  those  we  expect  from 
semantic  security.  (See  Section  3.2.2  for  further  discussion  on  this  point.) 

The  definition  of  indistinguishability  we  give  here  is  syntactically  almost 
identical  to  the  alternative  definition  of  perfect  secrecy  given  as  Definition  2.4. 
(This  serves  as  further  motivation  that  the  definition  of  indistinguishability  is 

a “good”  one.)  Recall  that  Definition  2.4  considers  an  experiment  PrivK^^i 

■1  ’ 
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in  which  an  adversary  A outputs  two  messages  mo  and  mi,  and  is  then  given 
an  encryption  of  one  of  these  messages,  chosen  at  random,  using  a randomly- 
generated  key.  The  definition  states  that  a scheme  II  is  secure  if  no  adversary 
A can  determine  which  of  the  messages  mo,  mi  was  encrypted  with  probability 
any  different  from  1/2  (which  is  the  probability  of  just  making  a random 
guess) . 

Here,  we  keep  the  experiment  PrivK^^'n  almost  exactly  the  same  (except  for 
some  technical  differences  discussed  below),  but  introduce  two  key  modifica- 
tions in  the  definition  itself: 

1.  We  now  consider  only  adversaries  running  in  polynomial  time,  whereas 
Definition  2.4  considered  even  all-powerful  adversaries. 

2.  We  now  concede  that  the  adversary  might  determine  the  encrypted  mes- 
sage with  probability  negligibly  better  than  1/2. 

As  discussed  extensively  in  the  previous  section,  the  above  relaxations  consti- 
tute the  core  elements  of  computational  security. 

As  for  the  differences  introduced  in  experiment  PrivK^ji,  one  is  purely  syn- 
tactic while  the  other  is  introduced  for  technical  reasons.  The  most  prominent 
difference  is  that  we  now  parameterize  the  experiment  by  a security  param- 
eter n.  We  then  measure  both  the  running  time  of  the  adversary  A as  well 
as  its  success  probability  as  functions  of  n.  We  write  PrivK^)'ii(n)  to  denote 
the  experiment  being  run  with  the  given  value  of  the  security  parameter,  and 
write 


Pr[PrivKXnH  = 1)  (3.1) 

to  denote  the  probability  that  A outputs  1 in  experiment- PrivK^)'n:(n).  It  is 
important  to  note  that  when  A and  H are  fixed.  Equation  (3.1)  is  a function 
of  n. 

The  second  difference  in  experiment  PrivK^^'n  is  that  we  now  require  the 
adversary  to  output  two  messages  mo,  mi  of  equal  length.  Prom  a theoretical 
point  of  view,  this  restriction  is  necessary  because  of  our  requirement  that  an 
encryption  scheme  should  be  able  to  encrypt  arbitrary-length  messages.  This 
restriction  could  be  removed  if  we  were  willing  to  forego  this  requirement,  as 
we  did  in  the  case  of  perfect  secrecy;  see  Exercises  3.3  and  3.4  for  more  on  this 
issue.  This  restriction  is  also  appropriate  for  most  encryption  schemes  used  in 
practice,  where  different -length  messages  result  in  different-length  ciphertexts, 
and  so  an  adversary  could  trivially  distinguish  which  message  was  encrypted 
if  it  were  allowed  to  output  messages  of  different  lengths. 

Most  encryption  schemes  used  in  practice  do  not  hide  the  length  of  mes- 
sages that  are  encrypted.  In  cases  where  the  length  of  a message  might  itself 
represent  sensitive  information  (e.g.,  when  it  indicates  the  number  of  digits 
in  an  employee’s  salary),  care  must  be  taken  to  pad  the  input  to  some  fixed 
length  before  encrypting.  We  do  not  discuss  this  further. 
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Indistinguishability  in  the  presence  of  an  eavesdropper.  We  now  give 
the  formal  definition,  beginning  with  the  experiment  outlined  above.  The  ex- 
periment is  defined  for  any  private-key  encryption  scheme  II  = (Gen,Enc,  Dec), 
any  adversary  A,  and  any  value  n for  the  security  parameter: 

The  eavesdropping  indistinguishability  experiment  PrivK^jj(n): 

1.  The  adversary  A is  given  input  1'^,  and  outputs  a pair  of 
messages  mo,  mi  of  the  same  length. 

2.  A key  k is  generated  by  running  Gen  (!”'),  and  a random  bit 
b {0, 1}  is  chosen.  A ciphertext  c Encfc(m{,)  is  computed 
and  given  to  A.  We  call  c the  challenge  ciphertext. 

3.  A outputs  a bit  b' . 

4.  The  output  of  the  experiment  is  defined  to  be  1 if  b'  = b,  and 
0 otherwise.  If  PrivK^''jj(n)  = 1,  we  say  that  A succeeded. 

There  is  no  limitation  on  the  length  of  the  messages  mo  and  mi  to  be  en- 
crypted, as  long  as  they  are  the  same.  (Of  course,  since  the  adversary  is 
restricted  to  run  in  polynomial  time,  mo  and  mi  have  length  polynomial 
in  n.)  If  n is  a fixed-length  scheme  for  messages  of  length  i{n),  the  above 
experiment  is  modified  by  requiring  mo,  mi  G 

The  definition  of  indistinguishability  states  that  an  encryption  scheme  is 
secure  if  the  success  probability  of  any  PPT  adversary  in  the  above  experiment 
is  at  most  negligibly  greater  than  1/2.  (Note  that  it  is  easy  to  succeed  with 
probability  1/2  by  just  outputting  a random  bit  b'.  The  challenge  is  to  do 
better  than  this.)  We  are  now  ready  for  the  definition. 

DEFINITION  3.8  A private-key  encryption  scheme  II  =.  (Gen,  Enc,  Dec) 
has  indistinguishable  encryptions  in  the  presence  of  an  eavesdropper  if  for  all 
probabilistic  polynomial-time  adversaries  A there  exists  a negligible  function 
negl  such  that 

Pr  [PrivK^;'„(n)  = l]  < ^ + negl(n), 

where  the  probability  is  taken  over  the  random  coins  used  by  A,  as  well  as  the 
random  coins  used  in  the  experiment  (for  choosing  the  key,  the  random  bit  b, 
and  any  random  coins  used  in  the  encryption  process). 

The  definition  quantifies  over  all  probabilistic  polynomial-time  adversaries, 
meaning  that  security  is  required  for  all  “feasible”  strategies  (where  we  equate 
feasible  strategies  with  those  that  can  be  carried  out  in  polynomial  time) . The 
fact  that  the  adversary  has  only  eavesdropping  capabilities  is  implicit  in  the 
fact  that  its  input  is  limited  to  a (single)  ciphertext,  and  the  adversary  does 
not  have  any  further  interaction  with  the  sender  or  the  receiver.  (As  we  will 
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see  later,  allowing  additional  interaction  results  in  a significantly  stronger  ad- 
versary.) Now,  the  definition  states  simply  that  any  adversary  A will  succeed 
in  guessing  which  message  was  encrypted  with  probability  at  most  negligibly 
better  than  a naive  guess  (which  is  correct  with  probability  1/2). 

Notice  that  the  adversary  is  allowed  to  choose  the  messages  mo  and  mi. 
Thus,  even  though  it  knows  that  c is  an  encryption  of  one  of  these  plaintext 
messages,  it  still  cannot  determine  which  one  was  encrypted.  This  is  a very 
strong  guarantee,  and  one  that  has  great  practical  importance.  Consider, 
for  example,  a scenario  whereby  the  adversary  knows  that  the  message  being 
encrypted  is  either  “attack  today”  or  “don’t  attack.”  Clearly,  we  do  not  want 
the  adversary  to  know  which  message  was  encrypted,  even  though  it  already 
knows  that  it  is  one  of  these  two  possibilities. 

An  equivalent  formulation.  Definition  3.8  states  that  an  eavesdropping 
adversary  cannot  determine  which  plaintext  was  encrypted  with  probability 
significantly  better  than  it  could  achieve  by  taking  a random  guess.  An  equiv- 
alent way  of  formalizing  the  definition  is  to  state  that  every  adversary  behaves 
the  same  way  whether  it  sees  an  encryption  of  mo  or  an  encryption  of  mi 
(for  any  mo,  mi  of  the  same  length).  Since  A outputs  a single  bit,  “behaving 
the  same  way”  means  that  it  outputs  1 with  almost  the  same  probability  in 
each  case.  To  formalize  this,  define  PfivK“|'ji(n,  6)  to  be  as  above,  except  that 
the  fixed  bit  h is  used  (rather  than  being  chosen  at  random).  In  addition,  de- 
note the  output  bit  h'  of  A in  PrivK^ji(n,  6)  by  output(PrivK^''ji(n,  6)).  The 
following  definition  essentially  states  that  A cannot  determine  whether  it  is 
running  in  experirnent  PrivK^]'n(^5  0)  experiment  PrivK^ji(n,  1). 


DEFINITION  3.9  A private-key  encryption  scheme  II  = (Gen,  Enc,  Dec). 
has  indistinguishable  encryptions  in  the  presence  of  an  eavesdropper  if  for  all 
probabilistic  polynomial-time  adversaries  A there  exists  a negligible  function 
negl  such  that 


Pr[output(PrivKXnKO))  = 1]  ~ Pr[output(PrivKXii(^,  1))  = 1] 


< negl(n). 


The  fact  that  this  definition  is  equivalent  to  Definition  3.8  is  left  as  an 
exercise. 

3.2.2  * Properties  of  the  Definition 

We  motivated  the  definition  of  secure  encryption  by  saying  that  it  should 
be  infeasible  for  an  adversary  to  learn  any  partial  information  about  the  plain- 
text from  the  ciphertext.  However,  the  actual  definition  of  indistinguishability 
looks  very  different.  As  we  have  mentioned.  Definition  3.8  is  indeed  equivalent 
to  semantic  security  that  formalizes  the  intuitive  notion  that  partial  informa- 
tion cannot  be  learned.  We  will  not  prove  full  equivalence  here.  Instead,  we 
will  prove  two  claims  demonstrating  that  indistinguishability  implies  weaker 
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versions  of  semantic  security.  For  comparison,  we  then  present  (essentially) 
the  full  definition  of  semantic  security.  The  reader  is  referred  to  [65,  Chapter 
5.2]  for  further  discussion  and  a full  proof  of  equivalence. 

We  begin  by  showing  that  indistinguishability  implies  that  no  single  bit 
of  a randomly  chosen  plaintext  can  be  guessed  with  probability  significantly 
better  than  1/2.  Below,  we  denote  by  the  zth  bit  of  m,  and  set  = 0 if 
i > \m\. 

CLAIM  3.10  Let  (Gen,  Enc,  Dec)  be  a private-key  encryption  scheme  that 
has  indistinguishable  encryptions  in  the  presence  of  an  eavesdropper.  Then 
for  all  probabilistic  polynomial-time  adversaries  A and  all  i,  there  exists  a 
negligible  function  negl  such  that: 

Pr  [^(1”,  Encfc(m))  = m"]  < ^ + negl(n), 

where  m is  chosen  uniformly  at  random  from  {0, 1}”,  and  the  probability  is 
taken  over  the  random  coins  of  A,  the  choice  of  m and  the  key  k,  and  any 
random  coins  used  in  the  encryption  process. 

PROOF  The  idea  behind  the  proof  of  this  claim  is  that  if  it  is  possible  to 
guess  the  zth  bit  of  m given  Encfc(m),  then  it  is  also  possible  to  distinguish 
between  encryptions  of  plaintext  messages  mo  and  mi  where  the  ith  bit  of 
mo  equals  0 and  the  zth  bit  of  mi  equals  1.  Specifically,  given  a ciphertext 
c try  to  compute  the  zth  bit  of  the  underlying  plaintext.  If  this  computation 
indicates  that  the  zth  bit  is  0,  then  guess  that  mo  was  encrypted;  if  it  indicates 
that  the  zth  bit  is  1,  then  guess  that  mi  was  encrypted.  Formally,  we  show 
that  if  there  exists  an  adversary  that  can  guess  the  zth  bit  of  m given 
Encfc(m)  with  probability  at  least  1/2  + e(n)  for  some  function  e{-),  then 
there  exists  an  adversary  that  succeeds  in  the  indistinguishability  experiment 
for  n = (Gen,  Enc,  Dec)  with  probability  l/2  + e:(n).  If  II  has  indistinguishable 
encryptions,  then  £{■)  must  be  negligible. 

In  detail,  let  ^ be  a probabilistic  polynomial-time  adversary  and  define  e:(-) 
as  follows: 

e{n)  Pr  [A(l^,  Encfc(m))  = m*]  - ^ , 

where  m is  chosen  uniformly  from  {0, 1}”.  Prom  now  on,  for  visual  clarity,  we 
no  longer  explicitly  indicate  the  input  1”  to  A.  Take  n > z,  let  /g  be  the  set 
of  all  strings  of  length  n whose  zth  bit  is  0,  and  let  be  the  set  of  all  strings 
of  length  n whose  rth  bit  is  1.  It  follows  that: 

Pr  [^(Encfc(m))  = m"]  = i • Pr  [^(Encfc(mo))  = 0]  + ^ ■ [^(Encfc(mi))  = 1] , 

where  mo  is  chosen  uniformly  from  Iq  and  mi  is  chosen  uniformly  from 
(The  above  holds  because  Iq  and  each  contain  exactly  half  of  {0, 1}”. 
Therefore,  the  probability  that  m lies  in  each  set  is  exactly  1/2.) 
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Consider  now  the  following  adversary  A'  who  eavesdrops  on  the  encryption 
of  a single  message: 

Adversary  A'\ 

1.  On  input  1”  (with  n > z),  choose  mo  ■*—  Iq  and  mi  /[*■ 
uniformly  at  random  from  the  indicated  sets.  Output  mo , mi  ■ 

2.  Upon  receiving  a ciphertext  c,  invoke  A on  input  c.  Output 
6'  = 0 if  A outputs  0,  and  b'  = 1 if  A outputs  1. 

A'  runs  in  polynomial  time  since  A does. 

Using  the  definition  of  experiment  Pi'ivK^7  n(n)  (for  n>  i),  note  that  b'  = b 
if  and  only  if  A outputs  b upon  receiving  Encfc(m{,).  So 

Pr  [PrivK^y  n (^)  = l]  = Pr  [A(Encfc(m{,))  = 6] 

= ^ • [^(Encfc(mo))  = 0]  + ^ ■ [A(Encfc(mi))  = 1] 

= Pr  [A(Encfc(m))  = m^] 

1 

= 2 

By  the  assumption  that  (Gen,  Enc,  Dec)  has  indistinguishable  encryptions  in 
the  presence  oPan  eavesdropper,  it  follows  that  e{-)  must  be  negligible.  (Note 
that  it  does  not  matter  what  happens  when  n < i,  since  we  are  concerned 
with  asymptotic  behavior  only.)  This  completes  the  proof.  I 


We  now  proceed  to  show,  roughly  speaking,  that  no  ppt  adversary  can  learn 
any  function  of  the  plaintext  message  given  the  ciphertext,  and  furthermore 
that  this  holds  regardless  of  the  a priori  distribution  over  the  message  being 
sent.  This  requirement  is  non-trivial  to  define  formally.  To  see  why,  note 
that  even  for  the  case  of  computing  the  zth  bit  of  the  plaintext  message  m 
(as  considered  above),  it  is  very  easy  to  compute  this  value  if  m is  chosen, 
for  example,  uniformly  from  the  set  Iq  (rather  than  uniformly  from  {0, 1}”)- 
Thus,  what  we  actually  want  to  say  is  that  if  an  adversary  receiving  the 
ciphertext  c = Encfc(m)  can  compute  /(m)  for  some  function  /,  then  there 
exists  an  adversary  that  can  compute  /(m)  with  the  same  probability  of  being 
correct,  but  without  being  given  the  ciphertext  (and  only  knowing  the  a priori 
distribution  on  m). 

In  the  next  claim  we  show  the  above  when  m is  chosen  uniformly  at  random 
from  some  set  S C {0,1}”.  Thus,  if  the  plaintext  is  an  email  message,  we. 
can  take  S to  be  the  set  of  English-language  messages  with  correct  email 
headers.  Actually,  since  we  are  considering  an  asymptotic  setting,  we  will 
work  with  an  infinite  set  S C {0,1}*.  Then  for  security  parameter  n,  a 

plaintext  message  is  chosen  uniformly  from  5 D {0, 1}”  (i.e.,  the  subset 

of  strings  of  S having  length  n),  which  is  assumed  never  to  be  empty.  As  a 


Private-Key  Encryption  and  Pseudorandomness 


67 


technical  condition,  we  also  need  to  assume  that  it  is  possible  to  efficiently 
sample  strings  uniformly  from  Sn;  that  is,  that  there  exists  some  probabilistic 
polynomial-time  algorithm  that,  on  input  1”,  outputs  a uniform  element  of 
Sn  ■ We  refer  to  this  by  saying  that  the  set  S is  efficiently  sampleable.  We  also 
restrict  to  functions  / that  can  be  computed  in  polynomial  time. 


CLAIM  3.11  Let  (Gen,  Enc,  Dec)  be  a private-key  encryption  scheme  that 
has  indistinguishable  encryptions  in  the  presence  of  an  eavesdropper.  Then 
for  every  probabilistic  polynomial-time  adversary  A there  exists  a probabilistic 
polynomial-time  algorithm  A'  such  that  for  all  polynomial-time  computable 
functions  f and  all  efficiently-sampleable  sets  5',  there  exists  a negligible  func- 
tion negl  such  that: 


Pr  [A{1^,  Encfc(m))  = /(m)]  - Pr  [^'(1” ) 


f{m)] 


< negl(n). 


where  m is  chosen  uniformly  at  random  from  Sn  S D {0, 1}”,  and  the 
probabilities  are  taken  over  the  choice  of  m and  the  key  k,  and  any  random 
coins  used  by  A,  A' , and  the  encryption  process. 


PROOF  (Sketch)  We  present  only  an  informal  sketch  of  the  proof  of  this 
claim.  Assume  that  (Gen,  Enc,  Dec)  has  indistinguishable  encryptions.  This 
implies  that  no  probabilistic  polynomial-time  adversary  A can  distinguish 
between  Encfc(m)  and  Encfc(l”),  for  any  m G {0,1}”.  Consider  now  the 
probability  that  A successfully  computes  /(m)  given  Encfc(m).  We  claim  that 
A should  successfully  compute  /(m)  given  Encfc(l”)  with  almost  the  same 
probability.  Otherwise,  A could  be  used  to  distinguish  between  Enck{m)  and 
Encfc(l”).  (The  distinguisher  is  easily  constructed:  choose  m <r-  Sn  uniformly 
at  random  — here  we  use  the  assumption  that  S is  efficiently-sampleable  — 
and  output  mo  = m,  mi  = 1”.  When  given  a ciphertext  c that  is  either  an 
encryption  of  m or  1”,  invoke  A on  c,  and  output  0 if  and  only  if  A outputs 
f{m).  If  A outputs  /(m)  when  it  is  given  an  encryption  of  m with  probability 
that  is  non-negligibly  different  than  when  it  is  given  an  encryption  of  1”,  then 
the  described  distinguisher  violates  Definition  3.9.) 

The  above  observation  yields  the  following  algorithm  A'  that  does  not  re- 
ceive c = Encfc(m),  yet  computes  /(m)  equally  well:  on  input  the  security 
parameter  1”,  A'  chooses  a random  key  /c,  invokes  ^ on  c Encfc(l”),  and 
outputs  whatever  A outputs.  By  the  above,  we  have  that  A outputs  /(m) 
when  run  as  a sub-routine  by  A'  with  almost  the  same  probability  as  when  it 
receives  Encfc(m).  Thus,  A'  fulfills  the  property  required  by  the  claim.  | 

Semantic  security.  The  full  definition  of  semantic  security  is  considerably 
more  general  than  the  property  proven  in  Claim  3.11.  Arbitrary  distributions 
over  plaintext  messages  are  now  considered,  and  the  definition  additionally 
takes  into  account  arbitrary  “external”  information  about  the  plaintext  that 
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may  be  “leaked”  to  the  adversary  through  other  means  (e.g.,  because  the 
same  message  m is  used  for  other  purposes  as  well) . As  above,  we  denote  by 
/ the  function  of  the  plaintext  that  the  adversary  is  attempting  to  compute. 
Rather  than  consider  a specific  set  S (and  a uniform  distribution  over  subsets 
of  S'),  we  consider  an  arbitrary  distribution  X = X^-,  ■ ■ ■)i  where,  for 

security  parameter  n,  the  plaintext  is  chosen  according  to  distribution  Xn- 
We  require  that  X be  efficiently  sampleable,  implying  here  the  existence  of 
a PPT  algorithm  that,  on  input  1”,  outputs  an  element  chosen  according  to 
distribution  We  also  require  that,  for  all  n,  all  strings  in  have  the  same 
length.  Finally,  we  model  “external”  information  about  m that  is  “leaked”  to 
the  adversary  by  giving  the  adversary  h{m),  for  some  arbitrary  function  h,  in 
addition  to  an  encryption  of  m.  That  is: 


DEFINITION  3.12  A private-key  encryption  scheme  (Gen,  Enc,  Dec),  is 
semantically  secure  in  the  presence  of  an  eavesdropper  if  for  every  probabilistic 
polynomial-time  algorithm  A there  exists  a probabilistic  polynomial-time  al- 
gorithm A'  such  that  for  all  efficiently -sampleable  distributions  X = (Xi, . . .) 
and  all  polynomial-time  computable  functions  f and  h,  there  exists  a negligible 
function  negl  such  that 


Pr[^(T",  Encfc(m),  h(m))  = /(m)]  - Pr[^'(l”,  h{m))  = f{m)\  < negl(n), 

where  m is  chosen  according  to  distribution  and  the  probabilities  are  taken 
over  the  choice  of  m and  the  key  k,  and  any  random  coins  used  by  A^  A'  ^ and 
the  encryption  process. 


The  adversary  A is  given  the  ciphertext  Encjt(m)  as  well  as  the  history  func- 
tion h{m),  where  this  latter  function  represents  whatever  “external”  knowl- 
edge of  the  plaintext  m the  adversary  may  have.-  The  adversary  A then 
attempts  to  guess  the  value  of  f(rn)..  Algorithm  A'  also  attempts  to  guess  the 
value  of  /(m),  but  is  given  only  h{m).  The  security  requirement  states  that 
A^s  success  in  guessing  f{m),  when  given  the  ciphertext,  can  be  essentially 
matched  by  some  algorithm  A'  who  is  not  given  the  ciphertext.  Thus,  the 
ciphertext  Encfc(m)  does  not  reveal  anything  new  about  the  value  of  /(m). 

Definition  3.12  constitutes  a very  strong  and  convincing  formulation  of  the 
security  guarantees  that  should  be  provided  by  an  encryption  scheme.  Ar- 
guably, it  is  much  more  convincing  than  indistinguishability  (that  only  con- 
siders two  plaintexts,  and  does  not  mention  external  knowledge  or  arbitrary 
distributions).  However,  it  is  technically  easier  to  work  with  the  definition  of 
indistinguishability  (e.g.,  for  proving  that  a given  scheme  is  secure).  Fortu- 
nately, it  has  been  shown  that  the  definitions  are  equivalent: 

THEOREM  3.13  A private-key  encryption  scheme  has  indistinguishable 
encryptions  in  the  presence  of  an  eavesdropper  if  and  only  if  it  is  semantically 
secure  in  the  presence  of  an  eavesdropper. 


Private-Key  Encryption  and  Pseudorandomness 


69 


Looking  ahead,  a similar  equivalence  is  known  for  all  the  definitions  of 
indistinguishability  that  we  present  in  this  chapter.  We  can  therefore  use 
indistinguishability  as  our  working  definition,  while  being  assured  that  the 
security  guarantees  achieved  are  those  of  semantic  security. 


3.3  Pseudorandomness 

Having  defined  what  it  means  for  an  encryption  scheme  to  be  secure,  the 
reader  may  expect  us  to  begin  immediately  with  constructions  of  secure  en- 
cryption schemes.  However,  before  doing  so  we  need  to  introduce  the  notion 
of  pseudorandom  ness.  This  notion  plays  a fundamental  role  in  cryptography  in 
general,  and  private-key  encryption  in  particular.  Loosely  speaking,  a pseu- 
dorandom string  is  a string  that  looks  like  a uniformly  distributed  string,  as 
long  as  the  entity  that  is  “looking”  runs  in  polynomial  time.  Just  as  indistin- 
guishability can  be  viewed  as  a computational  relaxation  of  perfect  secrecy, 
pseudorandomness  is  a computational  relaxation  of  true  randomness. 

An  important  conceptual  point  is  that,  technically  speaking,  no  fixed  string 
can.be  said  to  be  “pseudorandom”  (in  the  same  way  that  it  does  not  make 
much  sense  to  refer  to  any  fixed  string  as  “random”).  Rather,  pseudoran- 
domness actually  refers  to  a distribution  on  strings,  and  when  we  say  that 
a distribution  T>  over  strings  of  length  £ is  pseudorandom  this  means  that 
T>  is  indistinguishable  from  the  uniform  distribution  over  strings  of  length  i. 
(Strictly  speaking,  since  we  are  in  an  asymptotic  setting  we  actually  need 
to  speak  of  the  pseudorandomness  of  a sequence  of  distributions  T>  = {T>n}^ 
where  distribution  T>n  is  associated  with  security  parameter  n.  We  ignore 
this  point  in  our  current  discussion.)  More  precisely,  it  is  infeasible  for  any 
polynomial-time  algorithm  to  tell  whether  it  is  given  a string  sampled  accord- 
ing to  T>  or  an  Abit  string  chosen  uniformly  at  random. 

Even  given  the  above  discussion,  we  frequently  abuse  notation  and  call  a 
string  sampled  according  to  the  uniform  distribution  a “random  string” , and  a 
string  sampled  according  to  a pseudorandom  distribution  T>  a “pseudorandom 
string”  . This  is  only  useful  shorthand. 

Before  proceeding,  we  provide  some  intuition  as  to  why  pseudorand oniness 
helps  in  the  construction  of  secure  private-key  encryption  schemes.  On  a 
simplistic  level,  if  a ciphertext  looks  random,  then  it  is  clear  that  no  adversary 
can  learn  any  information  from  it  about  the  plaintext.  To  some  extent,  this 
is  the  exact  intuition  that  lies  behind  the  perfect  secrecy  of  the  one-time 
pad.  In  that  case,  the  ciphertext  is  uniformly  distributed  (assuming  the  key 
is  unknown)  and  thus  reveals  nothing  about  the  plaintext.  (Of  course,  such 
statements  only  appeal  to  intuition  and  do  not  constitute  a formal  argument.) 
The  one-time  pad  worked  by  computing  the  XOR  of  a random  string  (the  key) 
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with  the  plaintext.  If  a pseudorandom  string  were  used  instead,  this  should  not 
make  any  noticeable  difference  to  a polynomial-time  observer.  Thus,  security 
should  still  hold  for  polynomial-tirne  adversaries. 

As  we  will  see  below,  this  idea  can  be  implemented.  The  advantage  of 
using  a pseudorandom  string  rather  than  a truly  random  string  is  that  a long 
pseudorandom  string  can  be  generated  from  a relatively  short  random  seed 
(or  key).  Thus,  a short  key  can  be  used  to  encrypt  a long  message,  something 
that  is  impossible  when  perfect  secrecy  is  required. 

Pseudorandom  generators.  Informally,  as  discussed  above,  a distribution 
T>  is  pseudorandom  if  no  polynomial-time  distinguisher  can  detect  if  it  is 
given  a string  sampled  according  to  P or  a string  chosen  uniformly  at  ran- 
dom. Similarly  to  Definition  3.9,  this  is  formalized  by  requiring  that  every 
polynomial-time  algorithm  outputs  1 with  almost  the  same  probability  when 
given  a truly  random  string  and  when  given  a pseudorandom  one  (this  output 
bit  is  interpreted  as  the  algorithm’s  “guess”).  A pseudorandom  generator  is  a 
deterministic  algorithm  that  receives  a short  truly  random  seed  and  stretches 
it  into  a long  string  that  is  pseudorandom.  Stated  differently,  a pseudorandom 
generator  uses  a small  amount  of  true  randomness  in  order  to  generate  a large 
amount  of  pseudorandomness.  In  the  definition  that  follows,  we  set  n to  be 
the  length  of  the  seed  that  is  input  to  the  generator  and  £{n)  to  be  the  output 
length.  Clearly,  the  generator  is  only  interesting  if  £{n)  > n (otherwise,  it 
doesn’t  generate  any  new  “randomness”). 

DEFINITION  3.14  Let  £{■)  he  a polynomial  and  let  G be  a deterministic 
polynomial-time  algorithm  such  that  for  any  input  s G {0,1}”,  algorithm  G 
outputs  a string  of  length  £{n).  We  say  that  G is  a pseudorandom  generator  7/ 
the  following  two  conditions  hold: 

1.  (Expansion:)  For  every  n it  holds  that  £{n)  > n. 

2.  (Pseudorandomness:)  For  all  probabilistic  polynomial- time  distinguish- 
ers  D,  there  exists  a negligible  function  negl  such  that: 

I Pr[D(r)  = 1]  — Pr[D(6^(s))  = 1]|  < negl(n), 

where  r is  chosen  uniformly  at  random  from  {0,  the  seed  s is 

chosen  uniformly  at  random  from  {0, 1}”,  and  the  probabilities  are  taken 
over  the  random  coins  used  by  D and  the  choice  of  r and  s . 

The  function  £{■)  is  called  the  expansion  factor  of  G . 

Discussion.  We  stress  that  the  output  of  a pseudorandom  generator  is  actu- 
ally very  far  from  random.  To  see  this,  consider  the  case  that  £{n)  = 2n  and 
so  G doubles  the  length  of  its  input.  The  uniform  distribution  over  {0, 1}^”  is 
characterized  by  the  fact  that  each  of  the  2^”  possible  strings  is  chosen  with 
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probability  exactly  In  contrast,  consider  the  distribution  generated  by 

G.  Since  G receives  an  input  of  length  n,  the  number  of  different  possible 
strings  in  its  range  is  at  most  2“^.  Thus,  the  probability  that  a random  string 
of  length  2n  is  in  the  range  of  G is  at  most  = 2~“^  (just  take  the  total 

number  of  strings  in  the  range  of  G and  divide  it  by  the  number  of  strings  of 
length  2n).  That  is,  most  strings  of  length  2n  do  not  occur  as  outputs  of  G. 

This  in  particular  means  that  it  is  trivial  to  distinguish  between  a random 
string  and  a pseudorandom  string  given  an  unlimited  amount  of  time.  Con- 
sider the  following  exponential-time  D that  works  as  follows:  upon  input  some 
string  w,  distinguisher  D outputs  1 if  and.  only  if  there  exists  an  s G {0,  !}”■ 
such  that  G{s)  = w.  (This  computation  is  carried  out  by  searching  all  of 
{0, 1}”^  and  computing  G{s)  for  every  s G {0, 1}”^.  This  computation  can  be 
carried  out  because  the  specification  of  G is  known;  only  its  random  seed  is 
unknown.)  Now,  if  w was  generated  by  G,  it  holds  that  D outputs  1 with 
probability  1.  In  contrast,  if  w is  uniformly  distributed  in  {0, 1}^”^  then  the 
probability  that  there  exists  an  s with  G{s)  = w is  at  most  2“”^,  and  so  D 
outputs  1 in  this  case  with  probability  at  most  2“”^.  We  therefore  have  that 

I Pr[T>(r)  = 1]  - Pr[T>(G(s))  = l]|  = 1 - 2~^, 

which  is  large.  This  type  of  attack  is  called  a brute  force  attack  because  it 
just  tries  all  possible  seeds.  The  advantage  of  such  an  “attack”  is  that  it  is 
applicable  to  all  generators,  irrespective  of  how  they  work. 

The  above  shows  that  the  distribution  generated  by  G is  not  the  uniform 
one.  Nevertheless,  polynomial-time  distinguisher s do  not  have  time  to  carry 
out  the  above  procedure.  Indeed,  if  G is  a pseudorandom  generator,  then 
it  is  guaranteed  that  there  do  not  exist  any  polynomial-time  procedures  that 
reliably  distinguish  random  and  pseudorandom  strings.  This  means  that  pseu- 
dorandom strings  are  just  as  good  as  truly  random  ones,  as  long  as  the  seed 
is  kept  secret  and  we  are  considering  only  polynomial-time  observers. 

The  seed  and  its  length.  The  seed  for  a pseudorandom  generator  must 
be  chosen  uniformly  at  random,  and  be  kept  entirely  secret  from  the  dis- 
tinguisher. Another  important  point,  evident  from  the  above  discussion  of 
brute-force  attacks,  is  that  s must  be  long  enough  so  that  no  “efficient  al- 
gorithm” has  time  to  traverse  all  possible  seeds.  Technically,  this  is  taken 
care  of  by  the  fact  that  all  algorithms  are  assumed  to  run  in  polynomial  time 
and  thus  cannot  search  through  all  2'^  possible  seeds  when  n is  large  enough. 
In  practice,  however,  the  seed  must  be  taken  to  be  of  some  concrete  length. 
Based  on  the  above,  at  the  very  least  s must  be  long  enough  so  that  it  is 
impossible  to  efficiently  try  all  possible  seeds. 

Existence  of  pseudorandom  generators.  The  first  question  one  should 
ask  is  whether  any  entity  satisfying  Definition  3.14  even  exists.  Unfortunately, 
we  do  not  know  how  to  unequivocally  prove  the  existence  of  pseudorandom 
generators.  Nevertheless,  we  believe  that  pseudorandom  ger^erators  exist,  and 
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this  belief  is  based  on  the  fact  that  they  can  be  constructed  (in  a provable 
sense)  under  the  rather  weak  assumption  that  one-way  functions  exist.  This 
will  be  discussed  in  greater  detail  in  Chapter  6.  For  now,  it  suffices  to  say  that 
there  are  certain  long-studied  problems  that  have  no  known  efficient  algorithm 
and  that  are  widely  assumed  to  be  unsolvable  in  polynomial-time.  An  example 
of  such  a problem  is  integer  factorization:  i.e.,  the  problem  of  finding  the  prime 
factors  of  a given  number.  What  is  important  for  our  discussion  here  is  that 
one-way  functions,  and  hence  pseudorandom  generators,  can  be  constructed 
under  the  assumption  that  these  problems  really  are  “hard”. 

In  practice,  various  constructions  believed  to  act  as  pseudorandom  genera- 
tors are  known.  In  fact,  as  we  will  see  later  in  this  chapter  and  in  Chapter  5, 
constructions  exist  that  are  believed  to  satisfy  even  stronger  requirements. 


3.4  Constructing  Secure  Encryption  Schemes 

3.4.1  A Secure  Fixed-Length  Encryption  Scheme 


We  are  now  ready  to  construct  a fixed-length  encryption  scheme  that  has 
indistinguishable  encryptions  in  the  presence  of  an  eavesdropper.  The  en- 
cryption scheme  we  construct  is  very  similar  to  the  one-time  pad  encryption 
scheme  (see  Section  2.2),  except  that  a pseudorandom  string  is  used  as  the 
“pad”  rather  than  a random  string.  Since  a pseudorandom  string  “looks  ran- 
dom” to  any  polynomial-time  adversary,  the  encryption  scheme  can  be  proven, 
to  be  computationally-secure. 
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The  encryption  scheme.  Let  G be  a pseudorandom  generator  with  expan- 
sion factor  £ (that  is,  |G(s)|  = ^(|s|)).  Recall  that  an  encryption  scheme  is 
defined  by  three  algorithms:  a key-generation  algorithm  Gen,  an  encryption 
algorithm  Enc,  and  a decryption  algorithm  Dec.  The  encryption  process  works 
by  applying  a pseudorandom  generator  to  the  key  (which  serves  as  a seed)  in 
order  to  obtain  a long  pad  that  is  then  XORed  to  the  plaintext  message.  The 
scheme  is  formally  described  in  Construction  3.15,  and  is  depicted  graphically 
in  Figure  3.2. 


CONSTRUCTION  3.15 

Let  G be  a pseudorandom  generator  with  expansion  factor  i.  Define  a 
private-key  encryption  scheme  for  messages  of  length  i as  follows: 

• Gen:  on  input  1’^,  choose  k -e—  {0,  1}’^  unifi^rmly  at  random  and 

output  it  as  the  key.  ^ 

• Enc:  on  input  a key  k G {0,1}’^  and  a message  m G {0,1}^^’^^, 
output  the  ciphertext 

c :=  G{k)  0 m. 

• Dec:  on  input  a key  k G {0, 1}’^  and  a ciphertext  c G {0, 
output  the  plaintext  message 

m :=  G{k)  © c. 

A private-key  encryption  scheme  from  any  pseudorandom  generator. 

) 

We  now  prove  that  the  given  encryption  scheme  has  indistinguishable  en- 
cryptions in  the  presence  of  an  eavesdropper,  under  the  assumption  that  G is  a 
pseudorandom  generator.  Notice  that  our  claim  is  not  unconditional.  Rather, 
we  reduce  the  security  of  the  encryption  scheme  to  the  properties  of  G.as  a 
pseudorandom  generator.  This  is  a very  important  proof  technique  that  was 
described  in  Section  3.1.3  and  will  be  discussed  further  after  the  proof  itself. 

THEOREM  3.16  If_G  is  a pseudorandom  generator,  then  Construc- 
tion 3.15  is  a fixed-length'  private-key  encryption  scheme  that  has  indistin- 
guishable encryptions  in  the  presence  of  an  eavesdropper. 

PROOF  Let  n denote  Construction  3.15.  We  show  that  if  there  exists  a 
probabilistic  polynomial-time  adversary  .4  for  which  Definition  3.8  does  not 
hold,  then  we  can  construct  a probabilistic  polynomial-time  algorithm  that 
distinguishes  the  output  of  G from  a truly  random  string.  The  intuition  behind 
this  claim  is  that  if  II  used  a truly  random  string  in  place  of  the  pseudorandom 
string  G{k),  then  the  resulting  scheme  would  be  identical  to  the  one-time  pad 
encryption  scheme  and  A would  be  unable  to  correctly  guess  which  message 
was  encrypted  with  probability  any  better  than  1/2.  So,  if  Definition  3.8  does 
not  hold  then  A must  (implicitly)  be  distinguishing  the  output  of  G from  a 
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random  string.  The  reduction  we  now  show  makes  this  explicit. 

Let  ^ be  a probabilistic  polynomial-time  adversary,  and  define  e as 

£{n)  =^Pr  [PrivK^;'n(n)  = l]  - ^ . (3.2) 

We  use  ^ to  construct  a distinguisher  D for  the  pseudorandom  generator  G, 
such  that  D “succeeds”  with  probability  e(n).  The  distinguisher  is  given  a 
string  w as  input,  and  its  goal  is  to  determine  whether  w was  chosen  uniformly 
at  random  (i.e.,  w is  a “random  string”)  or  whether  w was  generated  by 
choosing  a random  k and  computing  w G{k)  (i.e.,  w is  a “pseudorandom 
string”).  D emulates  the  eavesdropping  experiment  for  A in  the  manner 
described  below,  and  observes  whether  A succeeds  or  not.  If  A succeeds  then 
D guesses  that  w must  be  a pseudorandom  string,  while  if  A does  not  succeed 
then  D guesses  that  is  a random  string.  In  detail: 

Distinguisher  D\ 

D is  given  as  input  a string  w G {0, (We  assume  that  n can 
be  determined  from 

1.  Run  ,4(1’^)  to  obtain  a pair  of  messages  mo,  mi  G {0, 

2.  Choose  a random  bit  b ■«—  {0, 1}.  Set  c :=  w ® mb. 

3.  Give  c to  ^ and  obtain  output  b'.  Output  1 if  b'  = b,  and 
output  0 otherwise. 

Before  analyzing  the  behavior  of  D,  we  define  a modified  encryption  scheme 
n = (Gen,  Enc,  Dec)  that  is  exactly  the  one-time  pad  encryption  scheme,  ex- 
cept that  we  now  incorporate  a security  parameter  that  determines  the  length 
of  the  messages  to  be  encrypted.  That  is,  Geh(l”)  outputs  a completely  ran- 
dom key  k of  length  £{n),  and  the  encryption  of  a message  m G £{n)  using  the 
key  k G {0, 1}^0)  is  the  ciphertext  c :=  k®m.  (Decryption  can  be  performed 
as  usual,  but  is  inessential  to  what  follows.)  By  the  perfect  secrecy  of  the 
one-time  pad,  we  have  that 

= l]  = ^ (3.3) 

In  analyzing  the  behavior  of  D,  the  main  observations  are  as  follows: 

1.  If  w is  chosen  uniformly  at  random  from  {0, then  the  view  of  A 
when  run  as  a sub-routine  by  D is  distributed  identically  to  the  view  of 
A in  experiment  PrivK^'-(n).  This  is  because  A is  given  a ciphertext 

c = w ® mb  where  w G {0,  is  a completely  random  string.  It 

therefore  follows  that  for  w •«—  {0, chosen  uniformly  at  random, 

Pr(D(t«)  = 1]  = Pr  [PrivK“;ji(n)  = l]  = 
where  the  second  equality  follows  from  Equation  (3.3). 
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2.  If  w is  equal  to  G{k)  for  k {0, 1}”^  chosen  uniformly  at  random,  then 
the  view  of  A when  run  as  a sub-routine  by  D is  distributed  identically 
to  the  view  of  A in  experiment  PrivK^^n(n).  This  is  because  A is  given  a 
ciphertext  c = w(Bmb  where  w = G{k)  for  a uniformly-distributed  value 
k ^ {0, 1}"^.  Thus,  when  w — G{k)  for  k <—  {0, 1}”  chosen  uniformly 
at  random,  we  have 

Pr\D(w)  = 1)  = Pr[D(G(i))  = 1)  = Pr  [PrivKXn(>»)  = l]  = 5 + 

where  the  second  equality  follows  from  the  definition  of  £. 

Therefore, 

I Pv[D{w)  = 1]  - Pv[D{G{k))  = 1]|  = £{n) 

where,  above,  w is  chosen  uniformly  from  {0, and  k is  chosen  uniformly 
from  {0, 1}"^.  By  the  assumption  that  G is  a pseudorandom  generator,  it  must 
be  the  case  that  e is  negligible.  By  the  definition  of  e (see  Equation  (3.2)), 
this  implies  that  II  has  indistinguishable  encryptions  in  the  presence  of  an 
eavesdropper,  concluding  the  proof.  I 

It  is  easy  to  get  lost  in  the  details  of  the  proof  and  wonder  whether  anything 
has  been  gained  as  compared  to  the  one-time  pad;  after  all,  the  one-time  pad 
also  encrypts  an  ^-bit  message  by  XORing  it  with  an  ^-bit  string!  The  point 
of  the  construction,  of  course,  is  that  the  ^-bit  string  G{k)  can  be  much 
longer  than  the  key  k.  In  particular,  using  the  above  encryption  scheme  it  is 
possible  to  encrypt  a file  that  is  megabytes  long  using  only  a 128-bit  key.  This 
is  in  stark  contrast  with  Theorem  2.7  that  states  that  for  any  perfectly-secvet 
encryption  scheme,  the  key  must  be  at  least  as  long  as  the  message  being 
encrypted.  The  computational  approach  enables  us  to  achieve  much  more 
than  when  perfect  secrecy  is  required. 

Reductions  — a discussion.  We  do  not  prove  unconditionally  that  Con- 
struction 3.15  is  secure.  Rather,  we  prove  that  it  is  secure  under  the  assump- 
tion that  G is  a pseudorandom  generator.  This  approach  of  reducing  the 
security  of  a construction  to  some  underlying  primitive  is  of  great  importance 
for  a number  of  reasons.  First,  as  we  have  already  noted,  wC  do  not  know 
how  to  prove  the  unconditional  existence  of  an  encryption  scheme  satisfying 
Definition  3.8  and  such  a proof  seems  far  out  of  reach  today.  Given  this,  re- 
ducing the  security  of  a higher-level  construction  to  a lower-level  primitive  has 
a number  of  advantages  (as  discussed  in  Section  1.4.2).  One  of  these  advan- 
tages is  the  fact  that,  in  general,  it  is  easier  to  design  a lower-level  primitive 
than  a higher-level  one;  it  is  similarly  easier,  in  general,  to  be  convinced  that 
something  satisfies  a lower-level  definition  than  a higher-level  one.  This  does 
not  mean  that  constructing  a pseudorandom  generator  is  “easy” , only  that  it 
is  easier  than  constructing  an  encryption  scheme  from  scratch.  (Of  course,  in 
the  present  case  the  encryption  scheme  does  almost  nothing  except  XOR  the 
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output  of  a pseudorandom  generator  with  the  message  and  so  this  isn’t  really 
true.  However,  we  will  see  more  complex  constructions  and  in  these  cases  the 
ability  to  reduce  the  task  to  a simpler  one  is  of  great  importance.) 

3.4.2  Handling  Variable- Length  Messages 

The  construction  of  the  previous  section  has  the  disadvantage  of  allowing 
encryption  only  of  fixed-length  messages.  (I.e.,  for  each  particular  value  n of 
the  security  parameter,  only  messages  of  length  £{n)  can  be  encrypted.)  This 
deficiency  is  easy  to  address  by  using  a variable  output-length  pseudorandom 
generator  in  Construction  3.15. 

Variable  output-length  pseudorandom  generators.  In  some  applica- 
tions, we  do  not  know  ahead  of  time  how  many  bits  of  pseudorandomness  will 
be  needed.  Thus,  what  we  actually  want  is  a pseudorandom  generator  that 
can  output  a pseudorandom  string  of  any  desired  length.  More  specifically, 
we  would  like  G to  receive  two  inputs:  the  seed  s and  the  length  of  the  out- 
put £ (the  length  of  £ is  given  in  unary  for  the  same  reason  that  the  security 
parameter  is  given  in  unary);  G should  then  output  a pseudorandom  string 
of  length  £.  We  now  present  the  formal  definition: 

DEFINITION  3.17  A deterministic  polynomial-time  algorithm  G is  a 
variable  output-length  pseudorandom  generator  if  the  following  hold: 

1.  Let  s he  a string  and  £ > 0 be  an  integer.  Then  G(s,  1^)  outputs  a string 
of  length  £. 

2.  For  all  s,£,£'  with  £ < £[,  the  string  G{s,  1^)  is  a prefix  of  Gfs,  ).^ 

3.  Define  Gi(s)  G(s,  Then  for  every  polynomial  £{•)  it  holds 

that  Gi  is  a pseudorandom  generator  with  expansion  factor  £. 

Any  standard  pseudorandom  generator  (as  in  Definition  3.14)  can  be  con- 
verted into  a variable  output-length  one;  see  Section  6.4.2. 

Given  the  above  definition,  we  modify  Construction  3.15  in  the  natural  way: 
encryption  of  a 'message  m using  the  key  fc  is  carried  out  by  computing  the 
ciphertext  c ;=  G(/c,  ll"^!)  0 m;  decryption  of  a ciphertext  c using  the  key  k 
is  carried  out  by  computing  the  message  m :=  G(A:,ll'^l)  0c.  We  leave  it  as 
an  exercise  to  prove  that  this  scheme  also  satisfies  Definition  3.8.  The  proof 
follows  that  of  Theorem  3.16  except  for  one  technical  subtlety  that  arises. 


^This  condition  is  needed  for  technical  reasons  in  order  to  prove  the  security  of  Construc- 
tion 3.15  for  variable-length  messages  when  using  a variable-length  generator. 

1 
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3.4.3  Stream  Ciphers  and  Multiple  Encryptions 

In  the  cryptographic  literature,  an  encryption  scheme  of  the  type  presented 
in  the  previous  two  sections  is  often  called  a stream  cipher.  This  is  due  to  the 
fact  that  encryption  is  carried  out  by  first  generating  a stream  of  pseudoran- 
dom bits,  and  then  XORing  this  stream  with  the  plaintext.  Unfortunately, 
there  is  a bit  of  confusion  as  to  whether  the  term  “stream  cipher”  refers  to 
the  algorithm  that  generates  the  stream  (i.e.,  the  pseudorandom  generator  G) 
or  to  the  entire  encryption  scheme.  This  is  a crucial  issue  because  the  way  a 
pseudorandom  generator  is  used  determines  whether  or  not  a given  encryp- 
tion scheme  is  secure.  In  our  opinion,  it  is  best  to  use  the  term  stream  cipher 
to  refer  to  the  algorithm  that  generates  the  pseudorandom  stream,  and  thus 
a “secure”  stream  cipher  should  satisfy  the  definition  of  a variable  output- 
length  pseudorandom  generator.®  Using  this  terminology,  a stream  cipher  is 
not  an  encryption  scheme  per  se,  but  rather  a tool  for  constructing  encryp- 
tion schemes.  The  importance  of  this  discussion  will  become  clearer  when  we 
discuss  the  issue  of  multiple  encryptions  below. 

Stream  ciphers  in  practice.  There  are  a number  of  practical  constructions 
of  stream  ciphers  available,  and  these  are  typically  extraordinarily  fast.  A 
popular  example  is  the  stream  cipher  RC4  which  is  widely  considered  to  be 
secure  when  used  appropriately  (see  below) . The  security  of  practical  stream 
ciphers  is  not  yet  very  well  understood,  particularly  in  comparison  to  block 
ciphers  (introduced  later  in  this  chapter).  This  is  borne  out  by  the  fact  that 
there  is  no  standardized,  popular  stream  cipher  that  has  been  used  for  many 
years  and  whose  security  has  not  come  into  question.  For  example,  “plain” 
RC4  (that  was  considered  secure  at  one  point  and  is  still  widely  deployed)  is 
now  known  to  have  some  significant  weaknesses.  For  one,  the  first  few  bytes  of 
the  output  stream  generated  by  RC4  have  been  shown  to  be  biased.  Although 
this  may  seem  benign,  it  was  also  shown  that  this  weakness  can  be  used  to 
feasibly  break  the  WEP  encryption  protocol  used  in  802.11  wireless  networks. 
(WEP  is  a standardized  protocol  for  protecting  wireless  communications.  The 
WEP  standard  has  since  been  updated  to  fix  the  problem.)  If  RC4  is  to  be 
used,  the  first  1024  bits  or  so  of  the  output  stream  should  be  discarded. 

Linear  feedback  shift  registers  (LFSRs)  have,  historically,  also  been  popular 
as  stream  ciphers.  However,  they  have  been  shown  to  be  horribly  insecure  (to 
the  extent  that  the  key  can  be  completely  recovered  given  sufficiently-many 
bytes  of  the  output)  and  so  should  never  be  used  today. 

In  general,  we  advocate  the  use  of  block  ciphers  in  constructing  secure 
encryption  schemes.  Block  ciphers  are  efficient  enough  for  all  but  the  most 
resource-constrained  environments,  and  seem  to  be  more  secure  than  existing 
stream  ciphers.  Eor  completeness,  we  remark  that  a stream  cipher  can  be 


®Soon  we  will  introduce  the  notion  of  a block  cipher.  In  that  context,  it  is  accepted  that  this 
term  refers  to  the  tool  itself  and  not  how  it  is  used  in  order  to  achieve  secure  encryption. 
We  therefore  prefer  to  use  the  term  “stream  cipher”  analogously. 
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easily  constructed  from  a block  cipher,  as  described  in  Section  3.6.4  below. 
The  disadvantage  of  this  approach  as  compared  to  a dedicated  stream  cipher 
is  that  it  is  usually  less  efficient. 


Security  for  Multiple  Encryptions 

Definition  3.8,  and  all  our  discussion  until  now,  has  dealt  with  the  case  that 
the  adversary  receives  a single  ciphertext.  In  reality,  however,  communicating 
parties  send  multiple  ciphertexts  to  each  other  and  an  eavesdropper  will  see 
many  of  these.  It  is  therefore  of  great  importance  to  ensure  that  the  encryption 
scheme  being  used  is  secure  even  in  this  setting. 

Let  us  first  give  a definition  of  security.  As  in  the  case  of  Definition  3.8, 
we  first  introduce  an  appropriate  experiment  that  is  defined  for  an  encryption 
scheme  11,  an  adversary  and  a security  parameter  n\ 

The  multiple-message  eavesdropping  experiment  PrivK^“n(n): 

1.  The  adversary  A is  given  input  1”,  and  outputs  a pair  o/ vec- 
tors of  messages  Mq  = (mg, . . . , mg)  and  Mi  = (m}, . . . , m\) 
with  Imgl  = Imil  for  all  i. 

2.  A key  k is  generated  by  running  Gen(l”),  and  a random  bit 
b ■«—  {0, 1}  is  chosen.  For  all  i,  the  ciphertext  F •«—  Encfc(m^) 
is  computed  and  the  vector  of  ciphertexts  C = {A, ...  is 
given  to  A. 

3.  A outputs  a bit  b' . 

4.  The  output  of  the  experiment  is  defined  to  be  1 if  b'  = b,  and 
0 otherwise. 


The  definition  of  security  for  multiple  messages  is  the  same  as  for.  a single 
message,  except  that  it  now  refers  to  the  above  experiment.  That  is: 


DEFINITION  3.18  A private-key  encryption  scheme  II  = (Gen,  Enc,  Dec) 
has  indistinguishable  multiple  encryptions  in  the  presence  of  an  eavesdropper  if 
for  all  probabilistic  polynomial-time  adversaries  A there  exists  a negligible 
function  negl  such  that; 


Pr 


PrivKX^(n)  = 1 


< - + negl(n). 


where  the  probability  is  taken  over  the  random  coins  used  by  A,  as  well  as  the 
random  coins  used  in  the  experiment  (for  choosing  the  key  and  the  random  ■ 
bit  b,  as  well  as  for  the  encryption  itself). 


A crucial  observation  is  that  security  for  a single  encryption  (as  in  Defini- 
tion 3.8)  does  not  imply  security  under  multiple  encryptions.  This  is  formal- 
ized in  the  following  proposition. 
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PROPOSITION  3.19  There  exist  private-key  encryption  schemes  that 
have  indistinguishable  encryptions  in  the  presence  of  an  eavesdropper  hut  do 
not  have  indistinguishable  multiple  encryptions  in  the  presence  of  an  eaves- 
dropper. 


PROOF  We  do  not  have  to  look  far  to  find  an  encryption  scheme  fulfilling 
the  proposition.  Specifically,  Construction  3.15,  that  was  proven  secure  for 
a single  encryption  in  Theorem  3.16,  is  not  secure  when  used  for  multiple 
encryptions.  This  should  not  come  as  a surprise  because  we  have  already  seen 
that  the  one-time  pad  is  only  secure  when  used  once,  and  Construction  3.15 
works  in  a similar  way. 

Concretely,  consider  the  following  adversary  A attacking  the  encryption 
scheme  (in  the  sense  defined  by  experiment  PrivK'^^'^);  A outputs  the  vectors 
Mo  = (0’^,0’^)  and  Mi  = (0’^,1^).  That  is,  the  first  vector  contains  two 
plaintexts,  where  each  plaintext  is  just  a length-n  string  of  zeroes.  In  contrast, 
in  the  second  vector  the  first  plaintext  is  all  zeroes  and  the  second  is  all  ones. 
Now,  let  C = be  the  vector  of  ciphertexts  that  A receives.  If  A = c^, 

then  A outputs  0;  otherwise,  A outputs  1. 

We  now  analyze  ,4’s  success  in  guessing  b.  The  main  point  is  that  Construc- 
tion 3.15  is  deterministic.,  so  that  if  the  same  message  is  encrypted  multiple 
times  then  the  same  ciphertext  results  each  time.  Now,  if  6 = 0 then  the  same 
message  is  encrypted  each  time  (since  ttiq  = mo);  thus,  A = A and  hence  A 
always  outputs  0 in  this  case.  On  the  other  hand,  if  6 = 1 then  a different 
message  is  encrypted  each  time  (since  m]^  A ^i)  A A here,  A always 
outputs  1.  We  conclude  that  A outputs  b'  = h with  probability  1 and  so  the 
encryption  scheme  is  not  secure  with  respect  to  Definition  3.18.  | 

The  proof  of  Proposition  3.19  may  seem  contrived.  However,  this  is  far 
from  the  truth.  The  mere  knowledge  that  the  same  message  has  been  re-sent 
can  provide  significant  information  and  has  historically  been  very  useful  to 
cryptanalysts. 

Necessity  of  probabilistic  encryption.  In  the  proof  of  Proposition  3.19 
we  have  shown  that  Construction  3.15  is  not  secure  for  multiple  encryptions. 
The  only  feature  of  that  construction  used  in  the  proof  was  that  encrypting 
a message  always  yields  the  same  ciphertext,  and  so  we  actually  obtain  that 
any  deterministic  scheme  must  be  insecure  for  multiple  encryptions.  This  is 
important  enough  to  state  as  a theorem. 

THEOREM  3.20  Let  H = (Gen,  Enc,  Dec)  be  an  encryption  scheme  for 
which  Enc  is  a deterministic  function  of  the  key  and  the  message.  Then  H 
does  not  have  indistinguishable  multiple  encryptions  in  the  presence  of  an 
eavesdropper. 
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This  implies  that  to  construct  an  encryption  scheme  that  is  secure  with 
respect  to  Definition  3.18,  at  a very  minimum  we  will  have  to  ensure  that 
when  the  same  message  is  encrypted  multiple  times,  a different  ciphertext 
results  each  time.  At  first  sight  this  may  seem  like  an  impossible  task  since 
decryption  must  always  be  able  to  recover  the  message.  However,  we  will  later 
see  how  to  achieve  it. 

Multiple  encryptions  using  a stream  cipher  — a common  error. 
Unfortunately,  incorrect  implementations  of  cryptographic  constructions  are 
very  frequent.  One  common  error  is  to  use  a stream  cipher  (in  its  naive 
form  as  in  Construction  3.15)  in  order  to  encrypt  multiple  plaintexts.  As  an 
example,  this  error  appears  in  an  implementation  of  encryption  in  Microsoft 
Word  and  Excel;  see  [147].  In  practice,  such  an  error  can  be  devastating.  We 
emphasize  that  this  is  not  just  a “theoretical  artifact”  due  to  the  fact  that 
encrypting  the  same  message  twice  yields  the  same  message.  Even  if  the  same 
message  is  never  encrypted  twice,  various  attacks  are  possible,  as  mentioned 
in  Section  2.2. 


Secure  Multiple  Encryptions  Using  a Stream  Cipher 

There  are  typically  two  ways  in  which  a stream  cipher/pseudorandom  gen- 
erator is  used  in  practice  to  securely  encrypt  multiple  plaintexts  (see  also 
Eigure  3.3): 

1.  Synchronized  mode:  In  this  mode,  the  communicating  parties  use  a dif- 
ferent part  of  the  stream  output  by  the  stream  cipher  in  order  to  encrypt 
each  message.  This  mode  is  “synchronized”  because  both  parties  need 
to  know  which  parts  of  the  stream  have  already  been  used  in  order  to 
prevent  re-use,  which  (as  we  have  already  shown)  is  not  secure. 

This  mode  is  useful  in  a setting  where  parties  are  communicating  in  a 
single  session.  In  this  setting,  the  first  party  uses  the  first  part  of  the 
stream  in  order  to  send  its  first  message.  The  second  party  obtains  the 
ciphertext,  decrypts,  and  then  uses  the  next  part  of  tlie  stream  in  order 
to  encrypt  its  reply.  Since  each  part  of  the  stream  is  used  only  once,  it 
is  possible  to  view  the  concatenation  of  all  of  the  messages  sent  by  the 
parties  as  a single  long  plaintext.  Security  of  the  scheme  follows  as  in 
Theorem  3.16  (adapted  for  the  case  of  variable- length  messages). 

This  mode  is  not  suitable  in  all  applications  because  the  parties  are 
required  to  maintain  state  between  encryptions  (in  particular,  to  tell 
them  which  portion  of  the  stream  to  use  next).  Eor  the  same  reason,  the 
security  of  this  method  does  not  contradict  Theorem  3.20  even  though 
it  is  deterministic  (because  it  does  not  satisfy  the  syntactic  requirements 
of  Definition  3.7). 
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FIGURE  3.3:  Synchronized  mode  vs.  unsynchronized  mode. 


2.  Unsynchronized  mode:  In  this  mode,  encryptions  are  carried  out  inde- 
pendently of  one  another  and  the  parties  do  not  need  to  maintain  state. 
In  order  to  achieve  security,  however,  our  notion  of  a pseudorandom 
generator  must  be  significantly  strengthened.  Now,  we  view  a pseudo- 
random generator  as  taking  two  inputs:  a seed  s and  an  initial  vector 
IV  of  length  n.  Roughly  speaking,  the  requirement  is  that  G(s,  IV)  is 
pseudorandom  even  when  IV  is  known  (but  s is  kept  secret).  Further- 
more, for  two  randomly-chosen  initial  vectors  IV\  and  /V2,  the  streams 
G{s,  I V\)  and  G(s,  IV2)  should  remain  pseudorandom  even  when  viewed 
together  and  with  their  respective  IV s. 

Given  a generator  as  above,  encryption  can  be  defined  as 

Encfc(m)  .:=  {IV,  G{k,  IV)  0 m) 

where  IV  ^ {0, 1}’^  is  chosen  at  random.  (For  simplicity,  we  focus  on 
encrypting  fixed-length  messages.)  The  IV . is  chosen  fresh  (i.e.,  inde- 
pendently and  uniformly  at  random)  for  each  encryption  and  thus  each 
stream  is  pseudorandom,  even  if  previous  streams  are  known.  Note  that 
the  IV  is  sent  as  part  of  the  ciphertext  in  order  to  enable  the  recipient  to 
decrypt;  i.e.,  given  {IV,  c),  the  recipient  can  compute  m :=  c®G{k,  IV). 

Many  stream  ciphers  in  practice  are  assumed  to  have  this  augmented 
pseudorandomness  property  sketched  informally  above,  and  can  thus 
be  used  in  unsynchronized  mode.  However,  we  warn  that  a standard 
pseudorandom  generator  may  not  have  this  property,  and  that  this  as- 
sumption is  a strong  one.  In  fact,  such  a generator  is  “almost”  a pseu- 
dorandom function;  see  Section  3.6.1  and  Exercise  3.20. 
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3.5  Security  Against  Chosen-Plaintext  Attacks  (CPA) 

Until  now  we  have  considered  a relatively  weak  adversary  who  only  passively 
eavesdrops  on  the  communication  between  two  honest  parties.  (Of  course,  our 
actual  definition  of  PrivK^^''  allows  the  adversary  to  choose  the  plaintexts  that 
are  to  be  encrypted.  Nevertheless,  beyond  this  capability  the  adversary  is 
completely  passive.)  In  this  section,  we  formally  introduce  a more  powerful 
type  of  adversarial  attack,  called  a chosen-plaintext  attack  (CPA).  The  defini- 
tion of  security  under  CPA  attacks  is  the  same  as  in  Definition  3.8,  except 
that  the  adversary’s  attack  capabilities  are  strengthened. 

The  basic  idea  behind  a chosen-plaintext  attack  is  that  the  adversary  A is 
allowed  to  ask  for  encryptions  of  multiple  messages  chosen  adaptively.  This  is 
formalized  by  allowing  A to  interact  freely  with  an  encryption  oracle,  viewed 
as  a “black-box”  that  encrypts  messages  of  ,4’s  choice  using  the  secret  key  k 
(that  is  unknown  to  .4).  Following  standard  notation  in  computer  science,  we 
denote  by  the  computation  of  A given  access  to  an  oracle  O,  and  thus  in 

this  case  we  denote  the  computation  of  A with  access  to  an  encryption  oracle 
that  uses  key  k by  When  A queries  its  oracle  by  providing  it  with  a 

plaintext  message  m as  input,  the  oracle  returns  a ciphertext  c <—  Encfc(m)  as 
the  reply.  When  Enc  is  randomized,  the  oracle  uses  fresh  random  coins  each 
time  it  answers  a query. 

The  definition  of  security  requires  that  A should  not  be  able  to  distinguish 
the  encryption  of  two  arbitrary  messages,  even  when  A is  given  aeeess  to 
an  eneryption  oraele.  We  present  the  definition  and  afterwards  discuss  what 
real-world  adversarial  attacks  the  definition  is  meant  to  model. 

We  first  define  an  experiment  for  any  private-key  encryption  scheme  11  = 
(Gen,  Enc,  Dec),  any  adversary  ,4,  and  any  value  n of  the  security  parameter: 

The  CPA  indistinguishability  experiment  PrivK^n(n): 

1.  A key  k is  generated  by  running  Gen(l’^), 

2.  The  adversary  A is  given  input  1”^  and  oraele  aeeess  to  Encfc(-), 
and  outputs  a pair  of  messages  mo , mi  of  the  same  length. 

3.  A random  bit  b {0, 1}  is  chosen,  and  then  a ciphertext 
c <—  Encfc(m{,)  is  computed  and  given  to  A.  We  call  c the 

challenge  ciphertext. 

4-  The  adversary  A continues  to  have  oracle  access  to  Encfc(-), 
and  outputs  a bit  b' . 

5.  The  output  of  the  experiment  is  defined  to  be  1 if  b'  — b, 
and  0 otherwise.  {In  case  PrivK^n(n)  = 1,  we  say  that  A 
succeeded.) 
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DEFINITION  3.21  A private-key  encryption  scheme  II  = (Gen,  Enc,  Dec) 
has  indistinguishable  encryptions  under  a chosen- plaintext  attack  (or  is  CPA- 
secure)  if  for  all  probabilistic  polynomial-time  adversaries  A there  exists  a 
negligible  function  negl  such  that 


Pr 


PrivKXn(«)  = 1 


< - + negl(n), 


where  the  probability  is  taken  over  the  random  coins  used  by  A,  as  well  as  the 
random  coins  used  in  the  experiment. 

Any  scheme  that  has  indistinguishable  encryptions  under  a chosen-plaintext 
attack  clearly  also  has  indistinguishable  encryptions  in  the  presence  of  an 
eavesdropper.  This  holds  because  PrivK®^''  is  a special  case  of  PrivK*^^^  where 
the  adversary  doesn’t  use  its  oracle  at  all. 

At  first  sight,  it  may  appear  that  Definition  3.21  is  impossible  to  achieve. 
In  particular,  consider  an  adversary  that  outputs  (mo,  mi)  and  then  receives 
the  challenge  ciphertext  c -f—  Encfc(mb).  Since  the  adversary  A has  oracle 
access  to  Encfc(-),  it  can  request  that  this  oracle  encrypt  the  messages  mo  and 
mi  and  thus  obtain  co  Encfc(mo)  and  Ci  Encfc(mi).  Adversary  A can 
then  compare  co  and  Ci  to  c;  if  c = co  then,  seemingly,  A knows  that  6 = 0, 
and  if  c = Cl  then  it  knows  that  6=1.  Why  doesn’t  this  strategy  allow  A to 
determine  6 with  probability  1? 

The  answer  is  that  such  an  attack  would  indeed  work  if  the  encryption 
scheme  was  deterministic  (because  this  implies  that  every  time  a message 
is  encrypted,  the  same  ciphertext  is  obtained).  Thus,  as  with  security  un- 
der multiple  encryptions,  no  deterministic  encryption  scheme  can  be  secure 
against  chosen-plaintext  attacks.  Rather,  any  CPA-secure  encryption  scheme 
must  be  probabilistic.  That  is,  it  must  use  random  coins  as  part  of  the  en- 
cryption process  in  order  to  ensure  that  two  encryptions  of  the  same  message 
are  likely  to  be  different.®  , 

Chosen-plaintext  attacks  in  the  real  world.  Definition  3.21  is  at  least 
as  strong  as  our  earlier  Definition  3.8,  and  so  certainly  no  security  is  lost  by 
working  with  this  newer  definition.  In  general,  however,  there  may  be  a price 
for  using  a definition  that  is  too  strong  because  it  may  cause  us  to  use  less 
efficient  schemes  (even  though  there  are  niore  efficient  ones  that  would  suffice 
for  “real-world  applications”).  We  should  therefore  ask  ourselves  whether 
chosen-plaintext  attacks  represent  a realistic  adversarial  threat  with  which  we 
should  really  be  concerned. 

The  fact  is  that  chosen-plaintext  attacks  (in  one  form  or  another)  are  a 
realistic  threat  in  many  scenarios.  We  demonstrate  this  by  first  looking  at 


^As  we  have  seen,  if  the  encryption  process  maintains  state  between  successive  encryptions 
(as  in  the  synchronized  mode  for  stream  ciphers),  random  coin  tosses  may  not  be  necessary. 
As  per  Definition  3.7,  we  typically  consider  only  stateless  schemes  (which  are  preferable). 
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some  military  history  from  World  War  II.  In  May  1942,  US  Navy  cryptana- 
lysts had  discovered  that  Japan  was  planning  an  attack  on  Midway  island  in 
the  Central  Pacific.  They  had  learned  this  by  intercepting  a communication 
message  containing  the  ciphertext  fragment  “AF”  that  they  believed  corre- 
sponded to  the  plaintext  “Midway  island”.  Unfortunately,  their  attempts  to 
convince  Washington  planners  that  this  was  indeed  the  case  were  futile;  the 
general  belief  was  that  Midway  could  not  possibly  be  the  target.  The  Navy 
cryptanalysts  then  devised  the  following  plan.  They  instructed  the  US  forces 
at  Midway  to  send  a plaintext  message  that  their  freshwater  supplies  were 
low.  The  Japanese  intercepted  this  message  and  immediately  reported  to 
their  superiors  that  “AF”  was  low  on  water.  The  Navy  cryptanalysts  now 
had  their  proof  that  “AF”  was  indeed  Midway,  and  the  US  forces  dispatched 
three  aircraft  carriers  to  the  location.  The  result  is  that  Midway  was  saved, 
and  the  Japanese  incurred  great  losses.  It  is  even  said  that  this  battle  was  the 
turning  point  in  the  war  by  the  US  against  Japan  in  the  Pacific.  (See  [91,  146] 
for  more  information.) 

The  Navy  cryptanalysts  here  carried  out  a classic  chosen-plaintext  attack. 
They  were  able  to  request  the  Japanese  (albeit  in  a roundabout  way)  to  en- 
crypt the  word  “Midway”  in  order  to  learn  information  about  another  ci- 
phertext that  they  had  previously  intercepted.  If  the  Japanese  encryption 
scheme  had  been  secure  against  chosen-plaintext  attacks,  this  strategy  by  the 
US  cryptanalysts  would  not  have  worked  (and  history  may  have  turned  out 
very  differently)!  We  stress  that  the  Japanese  never  intended  to  act  as  an 
“encryption  oracle”  for  the  US  and  thus  were  the  Japanese  to  analyze  the 
necessity  for  CPA  security,  it  is  unlikely  they  would  have  concluded  that  it 
was  necessary. 

We  warn  against  thinking  that  chosen-plaintext  attacks  are  only  the  result 
of  clever  manipulation.  There  are  many  cases  where  an  adversary  can  infiu- 
ence  vrhat  is-  encrypted  by  an  honest  party  (even  if  it  is  more  unusual  for 
the  adversary  to  be  in  complete  control  over  what  is  encrypted).  Consider 
the  following  example;  many  servers  communicate  with  each  other  today  in 
a secured  way  (i.e.,  using  encryption).  However,  the  messages  that  these 
servers  send  to  each  other  are  based  on  internal  and  external  requests  that 
they  receive,  which  are  in  turn  chosen  by  users  that  may  actually  be  mali- 
cious. These  attackers  can  influence  the  plaintext  messages  that  the  servers 
encrypt,  sometimes  to  a great  extent.  Such  systems  must  be  protected  by 
using  an  encryption  scheme  that  is  secure  against  chosen-plaintext  attacks, 
and  we  therefore  strongly  encourage  always  using  an  encryption  scheme  of 
this  sort. 

CPA  security  for  multiple  encryptions.  The  extension  of  Definition  3.21 
to  the  case  of  multiple  encryptions  is  straightforward  and  is  the  same  as  the 
extension  of  Definition  3.8  to  Definition  3.18.  That  is,  we  define  an  experiment 


^°Ask  yourself  whether  you  would  have  anticipated  such  an  attack. 
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which  is  exactly  the  same  as  PrivK'^'^®  except  that  A outputs  a pair  of  vectors 
of  plaintexts.  Then,  we  require  that  no  polynomial-time  A can  succeed  in  the 
experiment  with  probability  that  is  non-negligibly  greater  than  1/2. 

Importantly,  CPA  security  for  a single  encryption  automatically  implies 
CPA  security  for  multiple  encryptions.  (This  stands  in  contrast  to  the  case 
of  eavesdropping  adversaries;  see  Proposition  3.19.)  We  state  the  claim  here 
without  proof;  a similar  claim,  but  in  the  public-key  setting,  is  proved  in 
Section  10.2.2. 


PROPOSITION  3.22  Any  private-key  encryption  scheme  that  has  in- 
distinguishable encryptions  under  a chosen-plaintext  attack  also  has  indistin- 
guishable multiple  encryptions  under  a chosen-plaintext  attack. 

This  is  a significant  technical  advantage  of  CPA  security.  It  suffices  to  prove 
that  a scheme  is  CPA-secure  for  a single  encryption  and  then  we  obtain  “for 
free”  that  it  is  CPA-secure  for  multiple  encryptions  as  well. 

Fixed-length  vs.  arbitrary-length  messages.  Another  advantage  of  work- 
ing with  the  definition  of  CPA-security  is  that  it  allows  us  to  treat  fixed- 
length  encryption  schemes  without  much  loss  of  generality.  In  particular, 
we  claim  that  given  any  CPA-secure  fixed-length  encryption  scheme  II  = 
(Gen,  Enc,  Dec),  it  is  possible  to  construct  a CPA-secure  encryption  scheme 
n'  = (Gen',  Enc',  Dec')  for  arbitrary-length  messages  quite  easily.  For  sim- 
plicity, say  n encrypts  messages  that  are  1-bit  long  (though  everything  we 
say  extends  in  the  natural  way  when  II  encrypts  messages  of  some  arbitrary 
length  Leave  Gen'  the  same  as  Gen.  Define  Enc'^  for  any  message  rri 

(having  some  arbitrary  length  ^^)  in  the  following  way: 

Enc'fe(m)  = EnCfc(mi ),...,  Encfc(m£), 

where  m = m±  ■■•mi  and  mi  G {0,1}  for  all  i.  Decryption  is  done  in  the 
natural  way.  We  claim  that  II'  is  CPA-secure  if  and  only  if  II  is.  A proof 
follows  from  Proposition  3.22. 

Notwithstanding  the  above,  there  may  in  practice  be  more  efficient  ways 
to  encrypt  messages  of  arbitrary  length  than  by  adapting  a fixed-length  en- 
cryption scheme  in  the  above  manner.  We  treat  other  ways  of  encrypting 
arbitrary-length  messages  in  Section  3.6.4. 


3.6  Constructing  CPA-Secure  Encryption  Schemes 

In  this  section  we  will  construct  encryption  schemes  that  are  secure  against 
chosen-plaintext  attacks.  We  begin  by  introducing  the  important  notion  of 
pseudorandom  functions. 
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3.6.1  Pseudorandom  Functions 

As  we  have  seen,  pseudorandom  generators  can  be  used  to  obtain  security  in 
the  presence  of  eavesdropping  adversaries.  The  notion  of  pseudorandomness  is 
also  instrumental  in  obtaining  security  against  chosen-plaintext  attacks.  Now, 
however,  instead  of  considering  pseudorandom  strings,  we  consider  pseudoran- 
dom functions.  We  will  specifically  be  interested  in  pseudorandom  functions 
mapping  n-bit  strings  to  n-bit  strings.  As  in  our  earlier  discussion  of  pseu- 
dorandomness, it  does  not  make  much  sense  to  say  that  any  fixed  function 
/ : {0,1}”^  — {0,1}”^  is  pseudorandom  (in  the  same  way  that  it  makes  little 
sense  to  say  that  any  fixed  function  is  random).  Thus,  we  must  technically 
refer  to  the  pseudorandomness  of  a distribution  on  functions.  An  easy  way  to 
do  this  is  to  consider  keyed  functions,  defined  next. 

A keyed  function  F is  a two-input  function  F : {0, 1}*  x {0, 1}*  {0, 1}*, 

where  the  first  input  is  called  the  key  and  denoted  k,  and  the  second  input  is 
just  called  the  input.  In  general  the  key  k will  be  chosen  and  then  fixed,  and 
we  will  then  be  interested  in  the  single-input  function  Fk  : {0,1}*  ^ {0,1}* 

defined  by  Fk{x)  F{k,x).  For  simplicity,  we  will  generally  assume  that  F 
is  length-preserving  meaning  that  the  key,  input,  and  output  lengths  of  F are 
all  the  same.  That  is,  we  assume  that  the  function  F is  only  defined  when  the 
key  k and  the  input  x have  the  same  length,  in  which  case  |Ffc(a:)|  = la:|  = \k\. 
So,  by  fixing  a key  k G {0,1}”^  we  obtain  a function  Ffe-(-)  mapping  n-bit 
strings  to  n-bit  strings.  We  say  that  F is  efficient  if  there  is  a deterministic 
polynomial-time  algorithm  that  computes  F{k,x)  given  k and  x as  input.  We 
will  only  be  interested  in  functions  F that  are  efficient. 

A keyed  function  F induces  a natural  distribution  on  functions  given  by 
choosing  a random  key  k <—  {0, 1}”^  and  then  considering  the  resulting  single- 
input function  Fk.  Intuitively,  we  call  F pseudorandom  if  the  function  Fk 
(for  a randomly-chosen  key  k)  is  indistinguishable  from  a function  chosen 
uniformly  at  random  from  the  set  of  all  functions  having  the  same  domain 
and  range;  that  is,  if  no  polynomial-time  adversary  can  distinguish  — in  a 
sense,  we  will  more  carefully  define  soon  — whether  it  is  interacting  with  Fk 
(for  randomly-chosen  key  k)  or  / (where  / is  chosen  at  random  from  the  set 
of  all  functions  mapping  n-bit  strings  to  n-bit  strings). 

Since  the  notion  of  choosing  a function  at  random  is  less  familiar  than  the 
notion  of  choosing  a string  at  random,  it  is  worth  spending  a bit  more  time  on 
this  idea.  Prom  a mathematical  point  of  view,  we  can  consider  the  set  FunCn 
of  all  functions  mapping  n-bit  strings  to  n-bit  strings.  This  set  is  finite  (as  we 
will  see  in  a moment),  and  so  randomly  selecting  a function  mapping  n-bit 
strings  to  n-bit  strings  corresponds  exactly  to  choosing  an  element  uniformly 
at  random  from  this  set.  How  large  is  the  set  FunCn?  A function  / is  fully 
specified  by  giving  its  value  on  each  point  in  its  domain.  In  fact,  we  can  view 
any  function  (over  a finite  domain)  as  a large  look-up  table  that  stores  f{x) 
in  the  row  of  the  table  labeled  by  x.  For  / G Func„,  the  look-up  table  for  / 
has  2”  rows  (one  for  each  point  of  the  domain  {0, 1}”)  and  each  row  contains 
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an  n-bit  string  (since  the  range  of  / is  {0, 1}^)-  Any  such  table  can  thus  be 
represented  using  exactly  n ■ bits.  Moreover,  the  functions  in  FunCn  are 
in  one-to-one  correspondence  with  look-up  tables  of  this  form,  meaning  that 
they  are  in  one-to-one  correspondence  with  all  strings  of  length  n ■ 2'^.  Since 
there  are  2^'^  strings  of  length  n • 2^,  this  is  the  exact  size  of  FunCn. 

Viewing  a function  as  a look-up  table  provides  another  useful  way  to  think 
about  selecting  a function  / G Func„  uniformly  at  random:  It  is  exactly 
equivalent  to  choosing  each  row  of  the  look-up  table  of  / uniformly  at  random. 
That  is,  the  values  f{x)  and  f{y)  (forxT^y)  are  completely  independent  and 
uniformly  distributed. 

Coming  back  to  our  discussion  of  pseudorandom  functions,  recall  that  we 
wish  to  construct  a keyed  function  F such  that  Fk  (for  k <—  {0, 1}^  chosen 
uniformly  at  randomly)  is  indistinguishable  from  / (for  / Func„  chosen 
uniformly  at  random) . The  former  is  chosen  from  a distribution  over  (at  most) 
2”  distinct  functions,  whereas  the  latter  is  chosen  from  a distribution  over  all 
2n-2"*  functions  in  FunCn.  Despite  this,  the  “behavior”  of  these  functions  must 
look  the  same  to  any  polynomial-time  distinguisher. 

A first  attempt  at  formalizing  the  notion  of  a pseudorandom  function  would 
be  to  proceed  in  the  same  way  as  in  Definition  3.14.  That  is,  we  could  require 
that  every  polynomial-time  distinguisher  D that  receives  a description  of  the 
pseudorandom  function  Fk  outputs  1 with  “almost”  the  same  probability  as 
“when  it  receives  a description  of  a random  function  /.  However,  this  definition 
is  inappropriate  since  the  description  of  a random  function  has  exponential 
length  (i.e.,  given  by  its  look-up  table  which  has  length  n ■ 2”^),  while  D is 
limited  to  running  in  polynomial  time.  So,  D would  not  even  have  sufficient 
time  to  examine  its  entire  input. 

The  actual  definition  therefore  gives  D oracle  access  to  the  function  in 
question  (either  or  f).  D is  allowed  to  query  the  oracle  at  any  .point  x,,  in 
response  to  which  the  oracle  returns  the  value  of  the  function  evaluated  at  x. 
We  treat  this  oracle  as  a black-box  in  the  same  way  as  when  we  provided  the 
adversary  with  oracle  access  to  the  encryption  procedure  in  the  definition  of  a 
chosen-plaintext  attack.  Here,  however,  the  oracle  computes  a deterministic 
function,  and  so  always  returns  the  same  result  when  queried  twice  on  the 
same  input.  We  are  now  ready  to  present  the  formal  definition.  (Although 
the  definition  requires  that  F be  length-preserving,  this  is  merely  a simplifying 
assumption  that  is  in  no  way  necessary.) 


DEFINITION  3.23  Let  F : {0, 1}*  x {0, 1}*  {0, 1}*  be  an  efficient, 

length-preserving,  keyed  function.  We  say  that  F is  a pseudorandom  function  if 
for  all  probabilistic  polynomial-time  distinguishers  D,  there  exists  a negligible 
function  negl  such  that: 


Pr[i)J^fc(-)(in) 


1]  - Pr[Z)-^(->(r) 


1] 


< negl(n). 


where  k -s—  {0, 1}”^  is  chosen  uniformly  at  random  and  f is  chosen  uniformly 
at  random  from  the  set  of  functions  mapping  n-bit  strings  to  n-bit  strings. 
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Notice  that  D interacts  freely  with  its  oracle.  Thus,  it  can  ask  queries 
adaptively,  choosing  the  next  input  based  on  the  previous  outputs  received. 
However,  since  D runs  in  polynomial  time,  it  can  ask  only  a polynomial 
number  of  queries.  Notice  also  that  a pseudorandom  function  must  inherit 
any  efficiently  checkable  property  of  a random  function.  For  example,  even  if 
X and  x'  differ  in  only  a single  bit,  the  outputs  Fk{x)  and  Fk(x')  must  (with 
overwhelming  probability  over  choice  of  k)  look  completely  uncorrelated.  This 
gives  a hint  as  to  why  pseudorandom  functions  are  useful  for  constructing 
secure  encryption  schemes. 

An  important  point  in  the  definition  is  that  the  distinguisher  D is  not 
given  the  key  k.  It  is  meaningless  to  require  that  Fk  be  pseudorandom  if  k 
is  known,  since  given  k it  is  trivial  to  distinguish  an  oracle  for  Fk  from-  an 
oracle  for  /.  All  the  distinguisher  has  to  do  is  query  the  oracle  at  the  point  0” 
to  obtain  the  answer  y,  and  compare  this  to  the  result  y'  = Ffc(0”)  that  can 
be  computed  using  the  known  value  k.  An  oracle  for  Fk  will  always  return 
y — y',  while  an  oracle  for  a random  function  will  have  y — y'  with  probability 
only  2“”.  In  practice,  this  means  that  once  k is  revealed,  all  claims  to  the 
pseudorandomness  of  Fk  no  longer  hold.  To  take  a concrete  example,  consider 
a pseudorandom  function  F.  Then  given  oracle  access  to  Fk  (for  random  /c), 
it  must  be  hard  to  find  an  input  x for  which  Fk{x)  — 0”^  (since  it  would  be 
hard  to  find  such  an  input  for  a truly  random  function  /).  But  if  k is  known, 
then  finding  such  an  input  may  be  easy  (and  in  reality  often  is). 

On  the  existence  of  pseudorandom  functions.  As  with  pseudorandom 
generators,  it  is  important  to  ask  whether  pseudorandom  functions  exist  and, 
if  so,  under  what  assumptions.  In  practice,  very  efficient  primitives  called  block 
ciphers  are  used  and  are  widely  believed  to  act  as  pseudorandom  functions. 
This  is  discussed  further  in  Section  3.6.3,  and  a more  in-depth  treatment  of 
block  ciphers  appears  in  Chapter  5.  Prom  a theoretical  point  of  view,  it  is 
known  that  pseudorandom  functions  exist  if  and  only  if  pseudorandom  gener- 
ators exist,  and  so  pseudorandom  functions  can  be  constructed  based  on  any 
of  the  hard  problems  that  allow  the  construction  of  pseudorandom  generators. 
This  is  discussed  at  length  in  Chapter  6.  The  existence  of  pseudorandom  func- 
tions based  on  these  hard  problems  represents  one  of  the  surprising  and  truly 
amazing  contributions  of  modern  cryptography. 

Using  pseudorandom  functions  in  cryptography.  Pseudorandom  func- 
tions turn  out  to  be  a very  useful  building  block  for  a number  of  different 
cryptographic  constructions.  We  use  them  below  to  obtain  CPA-secure  en- 
cryption and  in  Chapter  4 to  construct  message  authentication  codes.  One 
of  the  reasons  that  they  are  so  useful  is  that  they  enable  a clean  and  elegant 
analysis  of  the  constructions  that  use  them.  That  is,  given  a scheme  that  is 
based  on  a pseudorandom  function,  a general  way  of  analyzing  the  scheme  is 
to  first  prove  its  security  under  the  assumption  that  a truly  random  function 
is  used  instead.  This  step  relies  on  a probabilistic  analysis  and  has  nothing  to 
do  with  computational  bounds  or  hardness.  Next,  the  security  of  the  original 
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FIGURE  3.4:  Encryption  with  a pseudorandom  function. 

scheme  is  derived  by  proving  that  if  an  adversary  can  break  the  scheme  when 
a pseudorandom  function  is  used,  then  it  must  implicitly  be  distinguishing 
the  function  from  random. 


3.6.2  CPA-Secure  Encryption  Schemes  from  Pseudorandom 
Functions 

We  focus  here  on  constructing  a fixed-length  encryption  scheme  that  is 
CPA-secure.  By  what  we  have  said  at  the  end  of  Section  3.5,  this  implies  the 
existence  of  a CPA-secure  encryption  scheme  for  arbitrary-length  messages. 
In  Section  3.6.4  we  will  consider  more  efficient  ways  of  handling  messages  of 
arbitrary  length. 

A naive  attempt  at  constructing  a secure  encryption  scheme  from  a pseu- 
dorandom function  is  to  define  Encfc(m)  = Fk{m).  On  the  one  hand,  we 
expect  that  this  “reveals  no  information  about  m”  (since  /(m)  for  a random 
function  / is  simply  a random  n-bit  string).  However,  this  method  of  en- 
cryption is  deterministic  and  so  cannot  possibly  be  CPA-secure.  Concretely, 
given  c = Encfc(m6)  it  is  possible  to  request  an  encryption  of  Encfc(mo)  and 
Encfc(mi);  since  Encfc(-)  = Ffc(-)  is  a deterministic  function,  one  of  the  encryp- 
tions will  equal  c and  thus  reveal  the  value  of  h. 

Our  actual  construction  is  probabilistic.  Specifically,  we  encrypt  by  apply- 
ing the  pseudorandom  function  to  a random  value  r (rather  than  the  plaintext 
message)  and  XORing  the  result  with  the  plaintext.  (See  Construction  3.24 
and  Figure  3.4.)  This  can  again  be  viewed  as  an  instance  of  XORing  a pseudo- 
random “pad”  with  a plaintext  message,  with  the  major  difference  being  the 
fact  that  an  independent  pseudorandom  pad  is  used  each  time.  This  holds  as 
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long  as  the  pseudorandom  function  is  applied  to  a different  input  each  time. 
Of  course,  it  is  possible  that  a random  value  r repeats  and  is  used  more  than 
once  and  this  will  explicitly  be  taken  into  account  in  our  proof. 


CONSTRUCTION  3.24 

Let  F be  a pseudorandom  function.  Define  a private-key  encryption 
scheme  for  messages  of  length  n as  follows; 

• Gen;  on  input  1"^,  choose  k ^ {0, 1}^  uniformly  at  random  and 
output  it  as  the  key. 

• Enc;  on  input  a key  k G {0, 1}"^  and  a message  m G {0, 1}"^,  choose 
r -f—  {0, 1}"^  uniformly  at  random  and  output  the  ciphertext 

c ;=  (r,  Ffc  (r)  0‘  m) . 

• Dec;  on  input  a key  k G {0, 1}"^  and  a ciphertext  c = (r,  s),  output 
the  plaintext  message 

m ;=  Ffc(r)  0 s. 

A CPA-secure  encryption  scheme  from  any  pseudorandom  function. 

Intuitively,  security  holds  because  Fk{r)  looks  completely  random  to  an 
adversary  who  observes  a ciphertext  (r,  s)  — and  thus  the  encryption  scheme 
is  similar  to  the  one-time  pad  — as  long  as  the  value  r was  not  used  in  some 
previous  encryption  (specifically,  as  long  as  it  was  not  used  by  the  encryption 
oracle  when  answering  one  of  the  adversary’s  queries).  Moreover,  this  “bad, 
event”  (namely,  a repeating  value  of  r)  occurs  with  only  negligible  probability^ 

THEOREM  3.25  If  F is  a pseudorandom  junction,  then  Construction  3.24 
is  a fixed-length  private-key  encryption  scheme  for  messages  of  length  n that 
has  indistinguishable  encryptions  under  a chosen- plaintext  attack. 

PROOF  The  proof  here  follows  a general  paradigm  for  working  with  pseu- 
dorandom functions:  First,  we  analyze  the  security  of  the  scheme  in  an  ideal- 
ized world  where  a truly  random  function  / is  used  in  place  of  Fk , and  show 
that  the  scheme  is  secure  in  this  case.  Next,  we  claim  that  if  the  scheme  were 
insecure  when  Ffc  was  used  then  this  would  imply  the  possibility  of  distin- 
guishing Ffc  from  a truly  random  function. 

Let  n = (Gen,  Enc,  Dec)  be  an  encryption  scheme  that  is  exactly  the  same 
as  n = (Gen,  Enc,  Dec)  in  Construction  3.24,  except  that  a truly  random 
function  / is  used  in  place  of  Ffc.  That  is,  Gen(l”)  chooses  a random  function 
/ Func„,  and  Enc  encrypts  just  like  Enc  except  that  / is  used  instead  of  Ffc. 
(This  is  not  a legal  encryption  scheme  because  it  is  not  efficient.  Nevertheless, 
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this  is  a mental  experiment  for  the  sake  of  the  proof,  and  is  well  defined  for 
this  purpose.)  We  claim  that  for  every  (even  inefficient)  adversary  A that 
makes  at  most  q{n)  queries  to  its  encryption  oracle,  we  have 


1 

~ 2 ^ 


2” 


(3.4) 


To  see  this,  recall  that  every  time  a message  m is  encrypted  (either  by  the 
encryption  oracle  or  when  the  challenge  ciphertext  in  experiment  PrivK*^^^^(n) 

is  computed),  a random  r .s—  {0, 1}”^  is  chosen  and  the  ciphertext  is  set  equal 
to  (r,  / (r)  © m) . Let  rc  denote  the  random  string  used  when  generating,  the 
challenge  ciphertext  c = (rc,  /(^c)  © mb)-  There  are  two  subcases: 

1.  The  value  rc  is  used  by  the  encryption  oracle  to  answer  at  least  one  of 
A’s  queries:  In  this  case,  A may  easily  determine  which  of  its  mes- 
sages was  encrypted.  This  is  so  because  whenever  the  encryption  oracle 
returns  a ciphertext  (r,  s)  in  response  to  a request  to  encrypt  the  mes- 
sage m,  the  adversary  learns  the  value  of  /(r)  (since  /(r)  = s © m). 


Since  A makes  at  most  q{n)  queries  to  its  oracle  and  each  oracle  query 
is  answered  using  a value  r chosen  uniformly  at  random,  the  probability 
of  this  event  is  at  most  q{n) /2^  (as  can  be  seen  by  applying  a union 
bound). 


2.  The  value  rc  is  never  used  by  the  encryption  oracle  to  answer  any  of  A’s 
queries:  In  this  case,  A learns  nothing  about  the  value  of  /(rc)  from 
its  interaction  with  the  encryption  oracle  (since  / is  a truly  random 
function).  That  means  that,  as  far  as  A is  concerned,  the  value  /(rc) 
that  is  XORed  with  is  completely  random,  and  so  the  probability 
that  A outputs  6'  = b in  this  case  is  exactly  1/2  (as  in  the  case  of  the 
one-time  pad). 

Let  Repeat  denote  the  event  that  rc  is  used  by  the  encryption  oracle  to 
answer  at  least  one  of  ,4’s  queries.  We  have  shown  above  that  the  probabil- 
ity that  Repeat  occurs  is  at  most  q{n)/2'^,  and  that  the  probability  that  A 
succeeds  in  if  Repeat  does  not  occur  is  exactly  1/2.  Thus,  we  have: 

Pr|PrivK^^}i(n)  = 1] 

= Pr[PrivK'^^^~(n)  = 1 A Repeat]  -1-  PrfPrivK']^^- (n)  = 1 A Repeat] 

< Pr[Repeat]  -t- Pr[PrivK^^~  (n)  = 1 | Repeat] 
q{n)  1 

< 

- 2^  2 

as  stated  in  Equation  (3.4). 

Now,  fix  some  ppt  adversary  A and  define  the  function  e by 


s(n)  Pr 


1 

2 


(3.5) 
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The  number  of  oracle  queries  made  by  A is  upper  bounded  by  its  running- 
time.  Since  A runs  in  polynomial-time,  the  number  of  oracle  queries  it  makes 
is  upper  bounded  by  some  polynomial  g(-).  Equation  (3.4)  also  holds  with 
respect  to  this  A;  thus: 

Pr|PrivK;P;-(n)  = 1]  < i + ^ 

and  by  the  definition  of  e:, 

Pr[PrivK_4^^^n)  = 1]  = ^+£{n). 

If  £ is  not  negligible,  then  the  difference  between  these  is  also  not  negligi- 
ble. Intuitively,  such  a “gap”  (if  present)  would  enable  us  to  distinguish  the 
pseudorandom  function  from  a truly  random  function. 

Formally,  we  prove  this  via  a reduction.  We  use  A to  construct  a distin- 
guisher  D for  the  pseudorandom  function  F.  The  distinguisher  D is  given 
oracle  access  to  some  function,  and  its  goal  is  to  determine  whether  this  func- 
tion is  “pseudorandom”  (i.e.,  equal  to  Fk  for  a randomly-chosen  k {0, 1}”) 
or  “random”  (i.e.,  equal  to  / for  a randomly-chosen  / Func„).  To  do  this, 
D emulates  the  CPA  indistinguishability  experiment  for  A in  the  manner  de- 
scribed below,  and  observes  whether  A succeeds  or  not.  If  A succeeds  then  D 
guesses  that  its  oracle  must  be  a pseudorandom  function,  while  if  A does  not 
succeed  then  D guesses  that  its  oracle  must  be  a random  function.  In  detail: 

Distinguisher  D‘. 

D is  given  input  1”  and  access  to  an  oracle  O : {0, 1}”  — »•  {0,1}”. 

1.  Run  A(l”).  Whenever  A queries  its  encryption  oracle  on  a 
message  m,  answer  this  query  in  the  following  way: 

(a)  Choose  r {0, 1}”  uniformly  at  random. 

(b)  Query  0{r)  and  obtain  response  s' . 

(c)  Return  the  ciphertext  (r,  s'  0 m)  to  A. 

2.  When  A outputs  messages  mo,  mi  G {0, 1}”,  choose  a ran- 
dom bit  6 (0, 1}  and  then: 

(a)  Choose  r {0, 1}”  uniformly  at  random. 

(b)  Query  0{r)  and  obtain  response  s'. 

(c)  Return  the  challenge  ciphertext  (r,  s'  0 mt,)  to  A. 

3.  Continue  answering  any  encryption  oracle  queries  of  A as 
before.  Eventually,  A outputs  a bit  b'.  Output  1 if  6'  = 6, 
and  output  0 otherwise. 

The  key  points  are  as  follows: 
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1.  If  D^s  oracle  is  a pseudorandom  function,  then  the  view  of  A when 
run  as  a sub-routine  by  D is  distributed  identically  to  the  view  of  A 
in  experiment  PrivK^^j^(n).  This  holds  because  a key  k is  chosen  at 
random  and  then  every  encryption  is  carried  out  by  choosing  a random 
r,  computing  s'  ;=  Ft  (r) , and  setting  the  ciphertext  equal  to  (r,  s'  © m) , 
exactly  as  in  Construction  3.24.  Thus, 

Pr  = l]  = PrlPrivK^nW  = 

where  k {0, 1}”  is  chosen  uniformly  at  random  in  the  above. 

2.  If  D’s  oracle  is  a random  function,  then  the  view  of  A when  run  as  a sub- 
routine by  D is  distributed  identically  to  the  view  of  A in  experiment 
PrivK^^~  (n).  This  can  be  seen  exactly  as  above,  with  the  only  difference 

being  that  a random  function  / is  used  instead  oi  Fk-  Thus, 

Pr  = ll  = Pr  [PrivK'^f-(n)  = ll  , 

i/H.  j IX 

where  / FunCn  is  chosen  uniformly  at  random  in  the  above. 
Combining  Equations  (3.4)  and  (3.5)  with  the  above,  we  have  that 

Pr  = 1 - Pr  = 1 > e{n)  - 

By  the  assumption  that  E is  a pseudorandom  function,  it  follows  that  £{n)  — 
g(n)/2”  must  be  negligible.  Since  q is  polynomial,  this  in  turn  implies  that  e 
is  negligible,  and  so  II  is  CPA  secure,  completing  the  proof.  | 

As  discussed  in  Section  3.5,  any  CPA-secure  fixed-length  encryption  scheme 
automatically  yields  a CPA-secure  encryption  scheme  for  messages  of  arbitrary 
length.  Applying  the  approach  discussed  there  to  the  fixed-length  scheme 
we  have  just  constructed,  we  have  that  an  arbitrary-length  message  m = 
mi,...,m^,  where  each  mi  is  an  n-bit  block,  can  be  securely  encrypted  by 
computing 

{ri,  Tfc(ri)  ©mi,  r2,  Ffc(r2)  ©m2,  ...,  r£,  Fk{ri)  ©m^). 

(The  scheme  can  handle  messages  whose  length  is  not  an  exact  multiple  of  n 
by  truncation;  we  omit  the  details.)  We  ha,ve: 

COROLLARY  3.26  If  F is  a pseudorandom  function,  then  the  scheme 
sketched  above  is  a private-key  encryption  scheme  for  arbitrary -length  mes- 
sages that  has  indistinguishable  encryptions  under  a chosen-plaintext  attack. 
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Efficiency  of  Construction  3.24.  The  CPA-secure  encryption  scheme  in 
Construction  3.24,  and  its  extension  to  arbitrary-length  messages  in  the  corol- 
lary above,  has  the  drawback  that  the  length  of  the  ciphertext  is  (at  least) 
double  the  length  of  the  plaintext.  This  is  because  each  block  of  size  n is 
encrypted  using  an  n-bit  random  string  which  must  be  included  as  part  of 
the  ciphertext.  In  Section  3.6.4  we  will  show  how  the  ciphertext  length  can 
be  significantly  reduced. 


3.6.3  Pseudorandom  Permutations  and  Block  Ciphers 

Let  F : {0,1}*  x {0,1}*  ^ {0,1}*  be  an  efficient,  length-preserving,  keyed 
function.  We  call  F a keyed  permutation  if  for  every  k,  the  function  Tfc(') 
is  one-to-one  (since  F is  length-preserving,  this  implies  that  Fk  is  actually  a 
bijection) . We  say  that  a keyed  permutation  is  efficient  if  there  is  a polynomial- 
time algorithm  computing  Fk{x)  given  k and  x,  as  well  as  a polynomial-time 
algorithm  computing  F^^{x)  given  k and  x. 

The  convention  taken  here  that  the  lengths  of  the  key,  input,  and  output  are 
all  the  same  does  not  necessarily  hold  for  constructions  in  practice.  Rather, 
the  input  and  output  lengths  — typically  called  the  block  size  — are  the  same 
(which  must  be  the  case  since  it  is  a permutation),  but  the  key  length  can 
be  smaller  or  larger  than  the  block  size,  depending  on  the  construction.  We 
assume  they  are  all  equal  only  to  simplify  notation. 

We  define  what  it  means  for  an  efficient  keyed  permutation  P to  be  a pseu- 
dorandom permutation  in  a manner  exactly  analogous  to  Definition  3.23.  The 
only  change  is  that  we  now  require  that  F^  (for  a randomly-chosen  k)  be  in- 
distinguishable from  a randomly-chosen  permutation  rather  than  a randomly- 
chosen  function.  Actually,  this  is  merely  an  aesthetic  decision  since  random 
permutations  and  (length- preserving)  random  functions  are  anyway  indistin- 
guishable using  polynomial ly-many  queries.  Intuitively  this  is  due  to  the  fact 
that  a random  function  / looks  identical  to  a random  permutation  unless  a 
distinct  pair  of  values  x and  y are  found  for  which  f{x)  — f{y)  (since  in  such 
a case  the  function  cannot  be  a permutation).  However,  the  probability  of 
finding  such  points  x,  y using  a polynomial  number  of  queries  is  negligible. 
We  leave  a proof  of  the  following  for  an  exercise: 

PROPOSITION  3.27  If  F is  a pseudorandom  permutation  then  it  is  also 
a pseudorandom  function. 

If  F is  an  efficient  pseudorandom  permutation  then  cryptographic  schemes 
based  on  F might  require  honest  parties  to  compute  the  inverse  F^^  in  ad- 
dition to  the  permutation  Fk  itself.  This  potentially  introduces  new  security 
concerns  that  are  not  covered  by  the  fact  that  F is  pseudorandom.  In  such 
a case,  we  may  need  to  impose  the  stronger  requirement  that  Fk  be  indistin- 
guishable from  a random  permutation  even  if  the  distinguisher  is  given  qracle 
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access  to  the  inverse  of  the  permutation.  If  F has  this  property,  we  call  it  a 
strong  pseudorandom  permutation.  Formally: 


definition  3.28  Let  F : {0, 1}*  x {0, 1}*  ^ {0, 1}*  be  an  efficient, 
keyed  permutation. . We  say  that  F is  a strong  pseudorandom  permutation  if 
for  all  probabilistic  polynomial-time  distinguishers  D,  there  exists  a negligible 
function  negl  such  that: 


< negl(n), 


where  k {0, 1}^  is  chosen  uniformly  at  random  and  f is  chosen  uniformly 
at  random  from  the  set  of  permutations  on  n-bit  strings. 


Of  course,  any  strong  pseudorandom  permutation  is  also  a pseudorandom 
permutation. 

We  noted  earlier  that  a stream  cipher  can  be  modeled  as  a pseudorandom 
generator.  The  analogue  for  the  case  of  strong  pseudorandom  permutations 
in  practice  is  a block  cipher.  Unfortunately,  it  is  often  not  stated  in  the  lit- 
erature that  a block  cipher  is  actually  assumed  to  be  a strong  pseudorandom 
permutation.  Explicitly  modeling  block  ciphers  in  this  way  enables  a formal 
analysis  of  many  practical  constructions  that  rely  on  block  ciphers.  These 
constructions  include  encryption  schemes  (as  studied  here),  message  authen- 
tication codes  (to  be  studied  in  Chapter  4),  authentication  protocols,  and 
more.  Moreover,  when  proving  security  of  a construction,  it  is  important  to 
specify  whether  the  block  cipher  is  being  modeled  as  a pseudorandom  permu- 
tation or  a strong  pseudorandom  permutation.  Although  most  block  ciphers 
in  use  today  are  designed  to  satisfy  the  second,  stronger  requirement  , a scheme 
that  can  be  proven  secure  based  on  the  former,  weaker  assumption  may  be 
preferable  (since  the  requirements  on  the  block  cipher  are  potentially  easier 
to  satisfy). 

As  with  stream  ciphers,  block  ciphers  themselves  are  not  secure  encryp- 
tion schemes.  Rather,  they  are  building  blocks  that  can  be  used  to  construct 
secure  encryption  schemes.  For  example,  using  a block  cipher  in  Construc- 
tion 3.24  yields  a CPA-secure  private-key  encryption  scheme.  In  contrast,  an 
encryption  scheme  that  works  by  just  computing  c :=  Ffc(m),  where  Fk  is  a 
strong  pseudorandom  permutation,  is  not  CPA  secure.  This  distinction  be- 
tween block  ciphers  as  building  blocks  and  encryption  schemes  that  use  block 
ciphers  is  of  great  importance  and  one  that  is  too  often  missed. 

While  strong  pseudorandom  permutations  are  useful  in  the  design  and  anal- 
ysis of  efficient  cryptographic  schemes,  we  will  only  use  pseudorandom  per- 
mutations (|;hat  are  not  necessarily  strong)  in  the  rest  of  this  book. 
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Cl  C2  Cg 

FIGURE  3.5:  Electronic  Code  Book  (ECB)  mode. 

3.6.4  Modes  of  Operation 

A mode  of  operation  is  essentially  a way  of  encrypting  arbitrary-length 
messages  using  a block  cipher  (i.e.,  pseudorandom  permutation).  In  Corol- 
lary 3.26  we  have  already  seen  one  example  of  a mode  of  encryption,  albeit 
one  that  is  not  very  efficient  in  terms  of  the  length  of  the  ciphertext.  In  this 
section,  we  will  see  a number  of  modes  of  encryption  with  lower  ciphertext 
expansion  (defined  to  be  the  difference  between  the  length  of  the  ciphertext 
and  the  length  of  the  message). 

Before  continuing,  note  that  arbitrary-length  messages  can  be  unambigu- 
ously padded  to  a total  length  that  is  a multiple  of  any  desired  block  size  by 
appending  a 1 followed  by  sufficiently-many  Os.  We  will  therefore  just  assume 
that  the  length  of  the  plaintext  message  is  an  exact  multiple  of  the  block  size. 
Throughout  this  section,  we  will  refer  to  a pseudorandom  permutation/block 
cipher  F with  block  length  n,  and  will  consider  the  encryption  of  messages 
consisting  of  i blocks  each  of  length  n.  We  present  four  modes  of  operation 
and  discuss  their  security. 

Mode  1 — Electronic  Code  Book  (ECB)  mode.  This  is  the  most  naive 
mode  of  operation  possible.  Given,  a plaintext  message  m = mi,  m2, . . . , m^, 
the  ciphertext  is  obtained  by  “encrypting”  each  block  separately,  where  “en- 
cryption” here  means  a direct  application  of  the  pseudorandom  permutation 
to  the  plaintext  block.  That  is,  c = {Fk{mi),  Ff^(m2),  ■ ■ ■ ,Fk{ni£));  see  Eig- 
ure  3.5  for  a graphic  depiction  with  £ = 3.  Decryption  is  carried  in  the  obvious 
way,  using  the  fact  that  F^^  is  (efficiently  computable. 

The  encryption  process  here  is  deterministic  and  therefore  this  mode  of 
operation  cannot  possibly  be  CPA-secure  (see  the  discussion  following  Defini- 
tion 3.21).  Even  worse,  ECB-mode  encryption  does  not  have  indistinguishable 
encryptions  in  the  presence  of  an  eavesdropper.  This  is  due  to  the  fact  that 
if  the  same  block  is  repeated  twice  in  the  plaintext,  this  can  be  detected  as  a 
repeating  block  in  the  ciphertext.  Thus,  it  is  easy  to  distinguish  an  encryp- 
tion of  a plaintext  that  consists  of  two  identical  blocks  from  an  encryption  of 
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FIGURE  3.6:  Cipher  Block  Chaining  (CBC)  mode. 

a plaintext  that  consists  of  two  different  blocks.  We  stress  that  this  is  not  just 
a “theoretical  problem”  and  much  information  can  be  learned  from  viewing 
ciphertexts  that  are  generated  in  this  way.  ECB  mode  should  therefore  never 
be  used.  (We  include  it  for  its  historical  significance  only.) 

Mode  2 — Cipher  Block  Chaining  (CBC)  mode.  In  this  mode,  a ran- 
dom initial  vector  {IV)  of  length  n is  first  chosen.  Then,  each  of  the  remaining 
ciphertext  blocks  is  generated  by  applying  the  pseudorandom  permutation  to 
the  XOR  of  the  current  plaintext  block  and  the  previous  ciphertext  block. 
That  is,  set  co  :=  IV  and  then,  for  i — 1 to  £,  set  q :=  Ffc(ct_i  © mi).  The 
final  ciphertext  is  (cq,Ci,  . . . ,c^).  (See  Figure  3.6  for  a graphical  depiction.) 
We  stress  that  the  IV  is  sent  in  the  clear  as  part  of  the  ciphertext;  this  is 
crucial  so  that  decryption  can  be  carried  out. 

Importantly,  encryption  in  CBG  mode  is  probabilistic  and  it  has  been 
proven  that  if  F is  a pseudorandom  permutation  then  CBC-mode  encryp- 
tion is  CPA-secure.  The  main  drawback  of  this  mode  is  that  encryption  must 
be  carried  out  sequentially  because  the  ciphertext  block  C{-i  is  needed  in  or- 
der to  encrypt  the  plaintext  block  mi.  Thus,  if  parallel  processing  is  available, 
CBC-mode  encryption  may  not  be  the  most  efficient  choice. 

One  may  be  tempted  to  think  that  it  suffices  to  use  a distinct  IV  (rather 
than  a random  IV)  for  every  encryption;  e.g.,  first  use  IV  = 1 and  then 
increment  the  IV  by  one  each  time.  In  Exercise  3.16,  we  ask  you  to  show  that 
this  variant  of  CBC-mode  encryption  is  not  secure. 

Mode  3 — Output  Feedback  (OFB)  mode.  The  third  mode  we  present 
here  is  called  OFB.  Essentially,  this  mode  is  a way  of  using  a block  cipher 
to  generate  a pseudorandom  stream  that  is  then  XORed  with  the  message. 
First,  a random  IV  ■«—  (0, 1}’^  is  chosen  and  a stream  is  generated  from 
IV  (independently  of  the  plaintext  message)  in  the  following  way:  Define 
To  :=  IV,  and  set  the  rth  block  ri  of  the  stream  to  n :=  Efc(rt_i).  Then,  each 
block  of  the  plaintext  is  encrypted  by  XORing  it  with  the  appropriate  block 
of  the  stream;  that  is,  q :=  mi®ri.  (See  Figure  3.7  for  a graphical  depiction.) 


98 


IV 


IV 


C, 


FIGURE  3.7:  Output  Feedback  (OFB)  mode. 


As  in  CBC  mode,  the  IV  is  included  in  the  clear  as  part  of  the  ciphertext  in 
order  to  enable  decryption;  in  contrast  to  CBC  mode,  here  it  is  not  required 
that  F be  invertible  (in  fact,  it  need  not  even  be  a permutation). 

This  mode  is  also  probabilistic,  and  it  can  be  shown  that  it  too  is  a CPA- 
secure  encryption  scheme  if  F is  a pseudorandom  function.  Here,  both  encryp- 
tion and  decryption  must  be  carried  out  sequentially.  On^  the  other  hand,  this 
mode  has  the  advantage  that  the  bulk  of  the  computation  (namely,  compu- 
tation of  the  pseudorandom  stream)  can  be  done  independently  of  the  actual 
message  to  be  encrypted.  So,  it  may  be  possible  to  prepare  a stream  ahead  of 
time  using  pre-processing,  after  which  point  the  encryption  of  the  plaintext 
(once  it  is  known)  is  incredibly  fast. 

Mode  4 — Counter  (CTR)  mode.  There  are  different  variants  of  CTR- 
mode  encryption;  we  describe  the  randomized  counter  mode  here.  As  with 
OFB,  counter  mode  can  be  viewed  as  a way  of  generating  a pseudorandom 
stream  from  a block  cipher.  First,  a random  IV  <—  {0, 1}”^  is  chosen;  here, 
this  IV  is  often  denoted  ctr.  Then,  a stream  is  generated  by  computing  := 
Ffc(ctr  -|-  i)  (where  ctr  and  i are  viewed  as  integers  and  addition  is  performed 
modulo  2”).  Finally,  the  Rh  ciphertext  block  is  computed  as  Ci  ri0mi,  and 
the  IV  is  again  sent  as  part  of  the  ciphertext.  See  Figure  3.8  for  a graphical 
depiction  of  this  mode.  Note  once  again  that  decryption  does  not  require  F 
to  be  invertible,  or  even  a permutation. 

Counter  mode  has  a number  of  important  properties.  First  and  foremost, 
randomized  counter  mode  (i.e.,  when  ctr  is  chosen  uniformly  at  random  each 
time  a message  is  encrypted)  is  CPA-secure,  as  will  be  proven  below.  Second, 
both  encryption  and  decryption  can  be  fully  parallelized  and,  as  with  OFB 
mode,  it  is  possible  to  generate  the  pseudorandom  stream  ahead  of  time, 
independently  of  the  message.  Finally,  it  is  possible  to  decrypt  the  Rh  block 
of  the  ciphertext  without  decrypting  anything  else;  this  property  is  called 
random  access.  The  above  make  counter  mode  a very  attractive  choice. 
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FIGURE  3.8:  Counter  (CTR)  mode. 


THEOREM  3.29  If  F is  a pseudorandom  function,  then  randomized 
counter  mode  (as  described  above)  has  indistinguishable  encryptions  under 
a chosen-plaintext  attack. 


PROOF  As  in  the  proof  of  Theorem  3.25,  we  prove  the  present  theorem 
by  first  showing  that  randomized  counter  mode  is  CPA-secure  when  a truly 
random  function  is  used.  We  then  prove  that  replacing  the  random  function 
by  a pseudorandom  function  cannot  make  the  scheme  insecure. 

Let  ctr*  denote  the  initial  value  ctr  used  when  the  challenge  ciphertext  is 
encrypted  in  the  PrivK*^^^  experiment.  Intuitively,  when  a random  function 
/ is  used  in  randomized  counter  mode,  security  is  achieved  as  long  as  each 
block  Ci  of  the  challenge  ciphertext  is  encrypted  using  a value  ctr*  -|-  i that 
was  never  used  by  the  encryption  oracle  in  answering  any  of  its  queries.  This 
is  so  because  if  ctr*  -pi  was  never  used  to  answer  a previous  encryption  query, 
then  the  value  ./(ctr*  -|-  z)  is  a completely  random  value,  and  so  XORing  this 
value  w’ith  a block  of  the  plaintext  has  the  same  effect  as  encrypting  with  the 
one-time  pad.  Proving  that  randomized  counter  mode  is  CPA-secure  when 
using  a random  function  thus  boils  down  to  bounding  the  probability  that 
ctr*  pi  was  previously  used. 

Let  n = (Gen,  Enc,  Dec)  denote  the  randomized  counter  mode  encryption 
scheme,  and  let  11  = (Gen,  Enc,  Dec)  be  an  encryption  scheme  that  is  identi- 
cal to  n except  that  instead  of  using  a pseudorandom  permutation  F with 
a randomly-chosen  key,  a truly  random  function  is  used  instead.  That  is, 
Gen(l”)  chooses  a random  function  / FunCn,  and  Enc  encrypts  just  like 

Enc  except  that  / is  used  instead  of  Tfc.  (Of  course,  neither  Gen  nor  Enc 
are  efficient  algorithms,  but  this  does  not  matter  for  the  purposes  of  defin- 
ing an  experiment  involving  II.)  We  now  show  that  for  every  probabilistic 
polynomial-time  adversary  A,  there  exists  a negligible  function  negl  such  that 


Pr 


PrivKXn(n) 


< - + negl(n) 


(3.6) 


Actually,  we  do  not  need  to  make  any  assumptions  regarding  the  running  time 
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(or  computational  power)  of  A]  it  is  sufficient  to  require  only  that  A make  a 
polynomial  number  of  queries  to  its  encryption  oracle  (with  each  query  being 
a message  of  polynomial  length),  and  in  addition  that  A outputs  mo,  mi  of 
polynomial  length. 

Let  g be  a polynomial  upper-bound  on  the  number  of  oracle  queries  made  by 
A as  well  as  the  maximum  length  of  any  such  query  and  the  maximum  length 
of  mo,  mi-  Fix  some  value  n for  the  security  parameter.  Let  ctr*  denote  the 
initial  value  ctr  used  when  the  challenge  ciphertext  is  encrypted,  and  let  ctr^ 
denote  the  initial  value  ctr  used  when  the  encryption  oracle  answers  the  fth 
oracle  query  of  A.  When  the  challenge  ciphertext  is  encrypted,  the  function  / 
is  applied  to  the  values  ctr*  -|- 1, . . . , ctr*  +i*,  where  £*  < q{n)  is  the  length  of 
mo  and  mi . When  the  fth  oracle  query  is  answered,  the  function  / is  applied 
to  the  values  ctri  -|- 1, . . . , ctri  -|-  where  £i  < q{n)  is  the  length  (in  blocks)  of 
the  message  whose  encryption  was  requested.  There  are  two  cases  to  consider: 

Case  1.  There  do  not  exist  any  i,  j,  f > 1 (with  j < £i  and  f < £*)  for  which 
ctri  + j = ctr*  j' : In  this  case,  the  values  /(ctr*  1), . . . , /(ctr*  + £*)  used 
when  encrypting  the  challenge  ciphertext . are  independently  and  uniformly 
distributed  since  / was  not  applied  to  any  of  these  inputs  when  encrypting 
any  of  the  adversary’s  oracle  queries.  This  means  that  the  challenge  ciphertext 
is  computed  by  XORing  a random  stream  of  bits  to  the  message  mj,,  and  so 
the  probability  that  A outputs  6'  = 6 in  this  case  is  exactly  1/2  (as  in  the 
case  of  the  one-time  pad). 

Case  2.  There  exist  i,j,  j'  > 1 (with  j < £i  and  f <£*)  for  which  ctri  + J = 
ctr*  -f  j' : That  is,  the  value  used  to  encrypt  block  j of  the  ith  encryption 
oracle  query  is  the  same  as  the  value  used  to  encrypt  block  j'  of  the  challenge 
ciphertext.  In  this  case  A may  easily  determine  which  of  its  messages  was 
encrypted  to  give  the  challenge  ciphertext  (since  the  adversary  can  deduce 
the  value  of  /(ctri  -f- /)  = /(ctr*  + j')  from  the  answer  to  its  ith  oracle  query). 

Let  us  now  analyze  the  probability  that  this  occurs.  The  probability  is 
maximized  if  £*  and  each  £i  are  as  large  as  possible,  and  so  we  assume  that 
^*  = ^i  = Q'(n)  for  all  i.  Let  Over  I a Pi  denote  the  event  that  the  sequence 
ctri  + 1,  • • • , ctri  + Q{n)  overlaps  the  sequence  ctr*  -|- 1, . . . , ctr*  q{n),  and  let 
Overlap  denote  the  event  that  Overlapi  occurs  for  some  i.  Since  there  are  at 
most  q{n)  oracle  queries,  a union  bound  gives 

g(n) 

Pr[Overlap]  < ^ Pr[OverlapJ.  (3.7) 

i=l 

Fixing  ctr*,  event  Overlap^  occurs  exactly  when  ctri  satisfies 

ctr*  + 1 — q{n)  < ctri  < ctr*  + q{n)  — 1. 

Since  there  are  2q{n)  — 1 values  of  ctri  for  which  Overlapi  can  occur,  and  ctri 
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is  chosen  uniformly  at  random  from  {0, 1}”,  we  see  that 


Pr(0verlapil  = ^ 

Combined  with  Equation  (3.7),  this  gives  Pr[Overlap]  < 2g(n)^/2”. 

Given  the  above,  we  can  easily  bound  the  success  probability  of  A: 

Pr[PrivK‘^(’^~  (n)  = 1]  = Pr[PrivK‘^^^~  (n)  = 1 A Overlap] 

+ Pr[PrivK^^~  (n)  = 1 A Overlap] 

< Pr[Overlap]  + Pr[PrivK^^~  (n)  = 1 | Overlap] 

< , i 

“ 2”  2 ■ 

Since  q is  polynomial,  2q{n)'^ f2^  is  negligible,  proving  Equation  (3.6).  That 
is,  the  (imaginary)  scheme  II  is  CPA-secure. 

The  next  step  in  the  proof  is  to  show  that  this  implies  that  II  (i.e.,  the 
scheme  we  are  interested  in)  is  CPA-secure;  that  is,  that  for  any  probabilistic 
polynomial-time  A there  exists  a negligible  function  negK  such  that 


Pr 


PrivK^nH  = 1 


< 2 + negl'(n) 


Intuitively,  this  is  because  replacing  the  random  function  / used  in  II  by 
the  pseudorandom  function  used  in  II  should  have  “no  effect”  as  far  as 
a polynomial-time  adversary  is  concerned.  Of  course,  this  intuition  should 
be  rigorously  proyed.  This  proof  is  very  similar  to  the  analogous  step  in  the 
proof  of  Theorem  3.25,  and  so  is  left  as  an  exercise.  | 


Block  length  and  security.  All  the  above  modes  (with  the  exception  of 
ECB  that  is  anyway  not  secure)  use  a random  IV.  The  IV  has  the  effect 
of  randomizing  the  encryption  process,  and  ensures  that  (with  high  probabil- 
ity) the  block  cipher  is  always  evaluated  on  a new  input  that  was  never  used 
before.  This  is  important  because,  as  we  have  seen  in  the  proofs  of  Theo- 
rem 3.25  and  Theorem  3.29,  if  an  input  to  the  block  cipher  is  used  more  than 
once  then  security  can  be  violated.  (E.g.,  in  the  case  of  counter  mode,  the 
same  pseudorandom  string  will  be  XORed  with  two  different  plaintext  blocks.) 
Interestingly,  this  shows  that  it  is  not  only  the  key  length  of  a block  cipher 
that  is  important  in  evaluating  its  security,  but  also  its  block  length.  Eor  ex- 
ample, say  we  use  a block  cipher  with  a 64-bit  block  length.  We  showed  in  the 
proof  of  Theorem  3.29  that,  in  randomized  counter  mode,  even  if  a completely 
random  function  with  this  block  length  is  used  (i.e.,  even  if  the  block  cipher 
is  “perfect” ) , an  adversary  can  achieve  success  probability  roughly  ^ -|-  ^ 
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in  a chosen-plaintext  attack  when  it  makes  q queries  to  its  encryption  ora- 
cle, each  q blocks  long.  Although  this  is  asymptotically  negligible  (when  the 
block  length  grows  as  a function  of  the  security  parameter  n),  security  no 
longer  holds  in  any  practical  sense  (for  this  particular  block  length)  when 
q Depending  on  the  application,  one  may  want  to  switch  to  a block 

cipher  having  a larger  block  length  (2^°  is  only  one  gigabyte,  which  is  not 
much  considering  today’s  storage  needs). 

Other  modes  of  operation.  In  recent  years,  many  different  modes  of  oper- 
ation have  been  introduced,  each  offering  its  own  unique  advantages  in  some 
setting.  Nevertheless,  in  general,  CBC,  OFB,  and  CTR  modes  suffice  for  most 
applications  where  CPA-security  is  needed. 


Modes  of  encryption  and  message  tampering.  In  many  texts  on  cryp- 
tography, modes  of  operation  are  also  compared  based  on  how  well  they  pro- 
tect against  adversarial  modifications  of  the  ciphertext.  We  do  not  include 
such  a comparison  here  because  the  issue  of  message  integrity  or  message  au- 
thentication should  be  dealt  with  separately  from  encryption,  and  we  do  so  in 
the  next  chapter.  None  of  the  above  modes  achieve  message  integrity  in  the 
sense  we  will  define  there.  Further  discussion  is  given  in  the  next  chapter. 

Stream  ciphers  versus  block  ciphers.  As  we  have  seen  here  for  the  OFB 
and  counter  modes,  it  is  possible  to  work  in  “stream-cipher  mode”  using  a 
block-cipher  (i.e.,  generating  a stream  of  pseudorandom  bits  and  XORing 
this  stream  with  the  plaintext).  Furthermore,  a block  cipher  can  be  used  to 
generate  multiple  (independent)  pseudorandom  streams,  while  (in  general)  a 
stream  cipher  is  limited  to  generating  a single  such  stream.  This  begs  the 
question;  which  is  preferable,  a block  cipher  or  a stream  cipher?  The  only 
advantage  of  stream  ciphers  is  their  relative  efficiency,  though  this  gain  may 
only  be  a factor  of  two  unless  one  is  using  severely  resource-constrained  devices 
such  as  PDAs  or  cell  phones. On  the  other  hand,  stream  ciphers  appear  to 
be  much  less  well  understood  (in  practice)  than  block  ciphers.  There  are  a 
number  of  excellent  block  ciphers  that  are  efficient  and  believed  to  be  highly 
secure  (we  will  study  two  of  these  in  Chapter  5).  In  contrast,  stream  ciphers 
seem  to  be  broken  more  often,  and  confidence  in  their  security  is  lower.  It 
is  also  more  likely  that  stream  ciphers  will  be  misused  in  such  a way  that 
the  same  pseudorandom  stream  will  be  used  twice.  We  therefore  recommend 
using  block  ciphers  unless  for  some  reason  this  is  not  possible. 


particular,  estimates  from  [42]  indicate  that  on  a typical  home  PC  the  stream  cipher 
RC4  is  only  about  twice  as  fast  as  the  block  cipher  AES,  measured  in  terms  of  bits/second. 
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3.7  Security  Against  Chosen-Ciphertext  Attacks  (CCA) 

Until  now,  we  have  defined  security  against  two  types  of  adversaries:  a pas- 
sive adversary  that  only  eavesdrops,  and  an  active  adversary  that  carries  out 
a chosen-plaintext  attack.  A third  type  of  attack,  called  a chosen- ciphertext 
attack,  is  even  more  powerful  than  these  two.  In  a chosen-ciphertext  attack, 
we  provide  the  adversary  not  only  with  the  ability  to  encrypt  messages  of  its 
choice  (as  in  a chosen-plaintext  attack),  but  also  with  the  ability  to  decrypt 
ciphertexts  of  its  choice  (with  one  exception  discussed  later).  Formally,  we 
give  the  adversary  access  to  a decryption  oracle  in  addition  to  an  encryption 
oracle.  We  present  the  formal  definition  and  defer  further  discussion  until 
afterward. 

Consider  the  following  experiment  for  any  private-key  encryption  scheme 
n = (Gen,  Enc,  Dec),  adversary  A,  and  value  n for  the  security  parameter. 

The  CCA  indistinguishability  experiment  PrivK^^n(n): 

1.  A key  k is  generated  by  running  Gen(l”). 

2.  The  adversary  A is  given  input  1”  and  oracle  access  to  Encfc(-) 
and  Decfc(-).  It  outputs  a pair  of  messages  mo,  mi  of  the  same 
length. 

3.  A random  hit  h -s—  {0,1}  is  chosen,  and  then  a ciphertext 
c Encfc(m{,)  is  computed  and  given  to  A.  We  call  c the 

challenge  ciphertext. 

4-  The  adversary  A continues  to  have  oracle  access  to  Encfc(-) 
and  Decfc(-),  but  is  not  allowed  to  query  the  latter  on  the 
challenge  ciphertext  itself.  Eventually,  A outputs  a hit  h' . 

5.  The  output  of  the  experiment  is  defined  to  he  1 ifb'  = b,  and 
0 otherwise. 


DEFINITION  3.30  A private-key  encryption  scheme  II  has  indistinguish- 
able encryptions  under  a chosen-ciphertext  attack  (or  is  CCA-secure)  if  for  all 
probabilistic  polynomial-time  adversaries  A there  exists  a negligible  function 
negl  such  that: 

Pr[PrivK^fnH  = 1]  < ^ + negl(n), 

where  the  probability  is  taken  over  all  random  coins  used  in  the  experiment. 

In  the  experiment  above,  the  adversary’s  access  to  the  decryption  oracle  is 
unlimited  except  for  the  restriction  that  the  adversary  may  not  request  de- 
cryption of  the  challenge  ciphertext  itself.  This  restriction  is  necessary  or  else 
there  is  clearly  no  hope  for  any  encryption  scheme  to  satisfy  Definition  3.30. 
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At  this  point  you  may  be  wondering  if  chosen-ciphertext  attacks  realistically 
model  any  real-world  attack.  As  in  the  case  of  a chosen-plaintext  attack,  we 
do  not  expect  honest  parties  to  decrypt  arbitrary  ciphertexts  of  an  adversary’s 
choice.  Nevertheless,  there  may  be  scenarios  where  an  adversary  might  be  able 
to  influence  what  gets  decrypted,  and  learn  some  partial  information  about 
the  result: 

1.  In  the  case  of  Midway  (see  Section  3.5)  it  is  conceivable  that  the  US 
cryptanalysts  might  also  have  tried  to  send  encrypted  messages  to  the 
Japanese  and  then  monitor  their  behavior.  Such  behavior  (e.g.,  move- 
ment of  forces  and  the  like)  could  have  provided  important  information 
about  the  underlying  plaintext. 

2.  Imagine  a user  communicating  with  their  bank,  where  all  communica- 
tion is  encrypted.  If  this  communication  is  not  authenticated,  then  an 
adversary  may  be  able  to  send  certain  ciphertexts  on  behalf  of  the  user; 
the  bank  will  decrypt  these  ciphertexts,  and  the  adversary  may  learn 
something  about  the  result.  For  example,  if  a ciphertext  corresponds  to 
an  ill-formed  plaintext  (e.g.,  a gibberish  message,  or  simply  one  that  is 
not  formatted  correctly),  the  adversary  may  be  able  to  deduce  this  from 
the  bank’s  reaction  (i.e.,  the  pattern  of  subsequent  communication). 

*3.  Encryption  is  often  used  in  higher-level  protocols;  e.g.,  an  encryption 
scheme  might  be  used  as  part  of  an  authentication  protocol  where  one 
party  sends  a ciphertext  to  the  other,  who  decrypts  it  and  returns  the 
result.  In  this  case,  one  of  the  honest  parties  may  act  exactly  like  a 
decryption  oracle  and  so  the  scheme  must  be  CCA  secure. 

Insecurity  of  the  schemes  we  have  studied.  None  of  the  encryption 
schemes  we  have  seen  is  CCA-secure.  We  will  demonstrate  this  for  Construc- 
tion 3.24,  where  encryption  is  carried  out  as  Encfc(m)  = (r,Fk{r)  ©m).  The 
fact  that  this  scheme  is  not  CCA-secure  can  be  easily  demonstrated  as  fol- 
lows. An  adversary  A running  in  the  CCA  indistinguishability  experiment  can 
choose  mo  = 0”  and  mi  = 1”.  Then,  upon Ipheeiving  a ciphertext  c = (r,  s), 
the  adversary  A can  flip  the  first  bit  of  s and  ask  for  a decryption  of  the 
resulting  ciphertext  c'.  Since  c'  c,  this  query  is  allowed,  and  the  decryption 
oracle  answers  with  either  (in  which  case  it  is  clear  that  6 = 0)  or 

which  case  6=1).  This  example  demonstrates  why  CCA-security 
is  so  stringent.  Specifically,  any  encryption  scheme  that  allows  ciphertexts 
to  be  manipulated  in  any  “logical  way”  cannot  be  CCA-secure.  Thus,  CCA- 
security  actually  implies  a very  important  property  called  non-malleability. 
Loosely  speaking,  a non-malleable  encryption  scheme  has  the  property  that  if 
the  adversary  tries  to  modify  a given  ciphertext,  the  result  is  either  an  illegal 
ciphertext  or  one  that  encrypts  a plaintext  having  no  relation  to  the  original 
one.  We  leave  for  an  exercise  the  demonstration  that  none  of  the  modes  of 
encryption  we  have  seer^  is  CCA-secure. 
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Constructing  a CCA-secure  encryption  scheme.  We  show  how  to  con- 
struct a CCA-secure  encryption  scheme  in  Section  4.8.  The  construction  is 
presented  there  because  it  uses  tools  that  we  develop  in  Chapter  4. 
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Exercises 

3.1  Prove  Proposition  3.6. 

3.2  The  best  algorithm  known  today  for  finding  the  prime  factors  of  an  n-bit 

i 2 

number  runs  in  time  2^"^  ^ ^ . Assuming  4Ghz  computers  and  c = 1 

(and  that  the  units  of  the  given  expression  are  clock  cycles),  estimate 
the  size  of  numbers  that  cannot  be  factored  for  the  next  100  years. 

3.3  Prove  that  Definition  3.8  cannot  be  satisfied  if  II  can  encrypt  arbitrary- 
length  messages  and  the  adversary  is  not  restricted  to  output  equal- 
length  messages  in  experiment  PrivK^'^n. 

Hint:  Let  q{n)  be  a polynomial  upper-bound  on  the  length  of  the  cipher- 
text  when  n is  used  to  encrypt  a single  bit.  Then  consider  an  adversary 
who  outputs  mo  G {0, 1}  and  a random  mi  G {0,  l}9(»^)+2_ 

3.4  Say  II  = (Gen,  Enc,  Dec)  is  such  that  for  k G {0, 1}”^,  algorithm  Encfc  is 
only  defined  for  messages  of  length  at  most  l{n)  (for  some  polynomial  t). 
Construct  a scheme  satisfying  Definition  3.8  even  when  the  adversary  is 
not  restricted  to  output  equal-length  messages  in  experiment  PrivK^|)^. 

3.5  Prove  the  equivalence  of  Definition  3.8  and  Definition  3.9. 

3.6  Let  G be  a pseudorandom  generator  where  |G(s)|  > 2 • |s|. 

(a)  Define  G'{s)  G(sQI'®I).  Is  G'  necessarily  a pseudorandom  gener- 
ator? 

(b)  Define  G'{s)  G{si  ■ ■ ■ Sn/2))  where  s = si  • • • s„.  Is  G'  necessarily 
a pseudorandom  generator? 

3.7  Assuming  the  existence  of  a pseudorandom  function,  prove  that  there 
exists  an  encryption  scheme  that  has  indistinguishable  multiple  encryp- 
tions in  the  presence  of  an  eavesdropper  (i.e.,  is  secure  with  respect  to 
Definition  3.18),  but  is  not  CPA-secure  (i.e.,  is  not  secure  with  respect 
to  Definition  3.21). 

Hint;  The  scheme  need  not  be  “natural”.  You  will  need  to  use  the  fact 
that  in  a chosen-plaintext  attack  the  adversary  can  choose  its  queries  to 
the  encryption  oracle  adaptively. 

3.8  Prove  unconditionally  the  existence  of  an  efficient  pseudorandom  func- 
tion F : {0, 1}*  X {0, 1}*  > {0, 1}*  where  the  input  length  is  logarithmic 

in  the  security  parameter  (and  the  key  has  length  polynomial  in  the 
security  parameter). 

Hint:  Implement  a random  function  with  logarithmic  input  length. 
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3.9  Present  a construction  of  a variable  output-length  pseudorandom  gen- 
erator from  any  pseudorandom  function.  Prove  that  your  construction 
satisfies  Definition  3.17. 

3.10  Let  G be  a pseudorandom  generator  and  define  G'{s)  to  be  the  output 
of  G truncated  to  n bits  (where  |s|  = n).  Prove  that  the  function 
Fk{x)  = G'{k)  0 X is  not  pseudorandom. 

3.11  Prove  Proposition  3.27  (i.e.,  prove  that  any  pseudorandom  permutation 
is  also  a pseudorandom  function). 

Hint:  Show  that  in  polynomial  time,  a random  permutation  cannot  be 
distinguished  from  a random  function  (use  the  results  of  Appendix  A.4). 

3.12  Define  a notion  of  perfect  secrecy  against  a chosen-plaintext  attack  via 
the  natural  adaptation  of  Definition  3.21.  Show  that  the  definition  can- 
not be  achieved. 

3.13  Assume  that  F is  a pseudorandom  permutation.  Show  that  there  exists 
a function  F'  that  is  a pseudorandom  permutation  but  is  not  a strong 
pseudorandom  permutation. 

Hint:  Construct  F'  such  that 

3.14  Let  F be  a pseudorandom  permutation,  and  define  a fixed-length  en- 
cryption scheme  (Gen,  Enc,  Dec)  as  follows:  On  input  m e {0, 1}”^/^  and 
key  k C {0,1}”^,  algorithm  Enc  chooses  a random  string  r {0,1}”/^ 
of  length  n/2  and  computes  c :=  Fk{r\\m). 

Show  how  to  decrypt,  and  prove  that  this  scheme  is  CPA-secure  for 
messages  of  length  n/2.  (If  you  are  looking  for  a real  challenge,  prove 
that  this  scheme  is  CCA-secure  if  F is  a strong  pseudorandom  permuta- 
tion.) What  are  the  advantages  and  disadvantages  of  this  construction 
as  compared  to  Construction  3.24? 

3.15  Let  F be  a pseudorandom  function,  and  G a pseudorandom  generator 
with  expansion  factor  Un)  = n + 1.  For  each  of  the  following  encryption 
schemes,  state  whether  the  scheme  has  indistinguishable  encryptions  in 
the  presence  of  an  eavesdropper  and  whether  it  is  CPA-secure.  In  each 
case,  the  shared  key  is  a random  k G {0, 1}”. 

(a)  To  encrypt  m e {0,1}^"^+^,  parse  m as  mi||m2  with  |mi|  = |m2| 
and  send  (G{k)  0 mi,  G{k  + 1)  0 m2). 

(b)  To. encrypt  m e {0, 1}’^’^^,  choose  a random  r {0, 1}”  and  send 
(r,  G{r)  0 m). 

(c)  To  encrypt  m e {0, 1}”,  send  m 0 Fk{0'^). 

(d)  To  encrypt  m e {0,1}^”',  parse  m as  mi||m2  with  |mi|  = |m2|, 
then  choose  r {0,1}”  at  random,  and  send  (r,  mi  0 Ffc(r), 
m2  0 Fk{r  + 1)). 
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3.16  Consider  a variant  of  CBC-mode  encryption  where  the  sender  simply 
increments  the  IV  by  1 each  time  a message  is  encrypted  (rather  than 
choosing  IV  at  random  each  time).  Show  that  the  resulting  scheme  is 
not  CPA-secure. 


3.17  Present  formulas  for  decryption  of  all  the  different  modes  of  encryption 
we  have  seen.  For  which  modes  can  decryption  be  parallelized? 

3.18  Complete  the  proof  of  Theorem  3.29. 


3.19  Let  F"  be  a pseudorandom  function  such  that  for  k G {0,  l}*^  the  func- 
tion Fk  maps  £in{n)-hit  inputs  to  £out{n)-hit  outputs.  (Throughout  this 
chapter,  we  have  assumed  £in{n)  = £out{n)  = n.) 


(a)  Consider  implementing  counter  mode  encryption  using  an  F of 
this  form.  For  which  functions  £in,£out  is  the  resulting  encryption 
scheme  CPA-secure? 


(b)  Consider  implementing  counter  mode  encryption  using  an  F"  as 
above,  but  only  for  fixed-length  messages  of  length  £{n)  (which  is 
always  an  integer  multiple  of  £out{n)).  For  which  £in,£out,£  is  the 
scheme  CPA-secure?  For  which  £in,£out,£  does  the  scheme  have 
indistinguishable  encryptions  in  the  presence  of  an  eavesdropper? 


3.20  For  a function  g : {0, 1}*^  — > {0,  l}*^,  let  g^{-)  be  an  oracle  that,  on  input 
1*^,  chooses  r <—  {0,  l}*^  uniformly  at  random  and  returns  (r,g{r)).  We 
say  a keyed  function  F"  is  a weak  pseudorandom  function  if  for  all  ppt 
algorithms  D,  there  exists  a negligible  function  negl  such  that: 


Pr[F)'n®(;)(l«)  = 1]  -Pr[F>^*^-)(l”)  = 1] 


< negl(n). 


where  k <—  {0, 1}’^  and  / Funcn  are  chosen  unifprinly  at  random. 


(a)  Prove  that  if  F is  pseudorandom  then  it  is  weakly  pseudorandom. 

(b)  Let  F'  be  a pseudorandom  function,  and  define 


/ ^ki^)  if  ^ is  even 

^ F"^(a:  -|-  1)  if  x is  odd 


Prove  that  F is  weakly  pseudorandom,  but  not  pseudorandom. 

(c)  Is  counter-mode  encryption  instantiated  using  a weak  pseudoran- 
dom function  F necessarily  CPA-secure?  Does  it  necessarily  have 
indistinguishable  encryptions  in  the  presence  of  an  eavesdropper? 
Prove  your  answers. 

(d)  Construct  a CPA-secure  encryption  scheme  based  on  a weak  pseu- 
dorandom function. 

Hint;  One  of  the  constructions  in  this  chapter  will  work. 
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3.21  Let  III  = (Gerii,  Enci,  Deci)  and  II2  = (Gen2,  Enc2,  Dec2)  be  two  en- 
cryption schemes  for  which  it  is  known  that  at  least  one  is  CPA-secure. 
The  problem  is  that  you  don’t  know  which  one  is  CPA-secure  and  which 
one  may  not  be.  Show  how  to  construct  an  encryption  scheme  II  that 
is  guaranteed  to  be  CPA-secure  as  long  as  at  least  one  bf  Hi  or’  II2  is 
CPA-secure.  Try  to  provide  a full  proof  of  your  answer. 

Hint:  Generate  two  plaintext  messages  from  the  original  plaintext  so 
that  knowledge  of  either  one  of  the  parts  reveals  nothing  about  the  plain- 
text, but  knowledge  of  both  does  yield  the  original  plaintext. 

3.22  Show  that  the  CBC,  OFB,  and  counter  modes  of  encryption  do  not  yield 
-CCA-secure  encryption  schemes  (regardless  of  F). 


Chapter  4 


Message  Authentication  Codes  and 
Collision-Resistant  Hash  Functions 


4.1  Secure  Communication  and  Message  Integrity 

One  of  the  most  basic  goals  of  cryptography  is  to  enable  parties  to  commu- 
nicate over  an  open  communication  channel  in  a secure  way.  But  what  does 
“secure  communication”  entail?  In  Chapter  3 we  showed  that  it  is  possible  to 
obtain  private  communication  over  an  open  channel.  That  is,  we  showed  how 
encryption  can  be  used  to  prevent  an  eavesdropper  (or  possibly  a more  active 
adversary)  from  learning  anything  about  the  content  of  messages  sent  over  an 
unprotected  communication  channel.  However,  not  all  security  concerns  are 
related  to  the  ability  or  inability  of  an  adversary  to  learn  information  about 
messages  being  sent.  In  many  cases,  it  is  of  equal  or  greater  importance  to 
guarantee  message  integrity  (or  message  authentication)  in  the  sense  that  each 
party  should  be  able  to  identify  when  a message  it  receives  was  exactly  the 
message  sent  by  the  other  party.  For  example,  consider  the  case  that  a large 
supermarket  chain  sends  an  email  request  to  purchase  10,000  crates  of  soda 
from  a supplier.  Upon  receiving  such  a request,  the  supplier  has  to  consider 
the  following: 

1.  Is  the  order  authentic?  That  is,  did  the  supermarket  chain  really  issue 
an  order,  or  was  the  order  issued  by  an  adversary  who  spoofed  the  email 
address  of  the  supermarket  (something  that  is  remarkably  easy  to  do)? 

2.  Even  if  it  can  be  assured  that  an  order  was  issued  by  the  supermarket, 
the  supplier  must  still  ask  whether  the  details  of  the  order  are  exactly 
those  intended  by  the  supermarket,  or  whether  the  order  was  changed 
en  route  by  an  adversarial  entity  (e.g.,  a malicious  router). 

The  order  itself  is  not  secret  and  therefore  the  question  of  privacy  does  not 
arise  here  at  all.  Rather,  the  problem  is  purely  one  of  message  integrity. 

In  general,  one  cannot  rely  on  the  integrity  of  communication  without  tak- 
ing specific  measures  to  ensure  it.  Indeed,  any  unprotected  online  purchase 
order,  online  banking  operation,  email,  or  SMS  message  cannot,  in  general, 
be  trusted  to  have  originated  from  the  claimed  source.  Unfortunately,  people 
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are  in  general  trusting  and  thus  information  like  the  caller- ID  or  an  email 
return  address  are  taken  to  be  “proofs  of  origin”  in  many  cases  (even  though 
they  are  relatively  easy  to  forge);  This  leaves  the  door  open  to  potentially 
damaging  adversarial  attacks. 

In  this  chapter  we  will  show  how  to  use  cryptographic  techniques  to  prevent 
the  undetected  tampering  of  messages  that  are  sent  over  an  open  communi- 
cation line,  and  thus  achieve  message  integrity  in  the  sense  described  above. 
Note  that  we  cannot  prevent  adversarial  tampering  of  messages  altogether,  as 
this  can  only  be  defended  against  at  the  physical  level.  Instead,  what  we  will 
guarantee  is  that  any  such  tampering  will  be  detected  by  the  honest  parties. 


4.2  Encryption  vs.  Message  Authentication 

Just  as  the  goals  of  privacy  and  message  integrity  are  different,  so  are 
the  techniques  and  tools  for  achieving  them.  Unfortunately,  privacy  and  in- 
tegrity are  often  confused  and  unnecessarily  intertwined,  so  let  us  be  clear 
up-front:  encryption  does  not  (in  general)  provide  any  integrity,  and  encryp- 
tion should  never  be  used  with  the  intent  of  achieving  message  authentication. 
(Naturally,  encryption  may  be  used  in  conjunction  with  other  techniques  for 
achieving  message  authentication,  something  we  will  return  to  at  the  end  of 
this  chapter.) 

One  might  mistakenly  think,  at  first,  that  encryption  immediately  solves  the 
problem  of  message  authentication.  (In  fact,  this  is  a common  error.)  This  is 
due  to  the  fuzzy  (and  incorrect)  reasoning  that  since  a ciphertext  completely 
hides  the  contents  of  the  message,  an  adversary  cannot  possibly  modify  an 
encrypted  message  in  any  meaningful  way.  Despite  its  intuitive  appeal,  this 
reasoning  is  completely  false.  We  illustrate  this  point  by  showing  that  all  the 
encryption  schemes  we  have  seen  thus  far  do  not  provide  message  integrity. 

Encryption  using  stream  ciphers.  First,  consider  the  case  that  a message 
m is  encrypted  using  a stream  cipher.  That  is,  Encjt(m)  computes  the  cipher- 
text  c :=  G(A:)©m,  where  G is  a pseudorandom  generator.  Ciphertexts  in  this 
case  are  very  easy  to  manipulate.  Specifically,  flipping  any  bit  in  the  cipher- 
text  c results  in  the  same  bit  being,  flipped  in  the  message  that  is  recovered 
upon  decryption.  Thus,  given  a ciphertext  c that  encrypts  a message  m,  it  is 
possible  to  generate  a modified  ciphertext  c'  such  that  m'  = DeCfc(c')  is  the 
same  as  m but  with  one  (or  more)  of  the  bits  flipped.  This  simple  attack  can 
have  severe  consequences.  As  a simple  example,  consider  a user  encrypting 
some  dollar  amount  they  want  to  transfer  from  their  bank  account,  where  this 
amount  is  represented  in  binary.  Flipping  the  least  significant  bit  has  the  ef- 
fect of  changing  this  amount  by  only  $1,  but  flipping  the  11th  least  significant 
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bit  changes  the  amount  by  more  than  $1,000!  Interestingly,  the  adversary  in 
this  example  does  not  learn  whether  it  is  increasing  or  decreasing  the  initial 
amount  (i.e.,  whether  it  is  flipping  a 0 to  a 1 or  vice  versa).  Furthermore, 
the  existence  of  this  attack  does  not  contradict  the  privacy  of  the  encryption 
scheme  (in  the  sense  of  Definition  3.8).  In  fact,  the  exact  same  attack  applies 
. to  the  one-time  pad  encryption  scheme,  showing  that  even  perfect  secrecy  is 
not  sufficient  to  ensure  the  most  basic  level  of  message  integrity. 

Encryption  using  block  ciphers.  The  aforementioned  attack  utilizes  the 
fact  that  flipping  a single  bit  in  a ciphertext  keeps  the  underlying  plaintext 
unchanged  except  for  the  corresponding  bit  (which  is  also  flipped).  The  same 
attack  applies  to  the  OFB  and  counter  mode  encryption  schemes,  which  also 
encrypt  messages  by  XORing  them  with  a pseudorandom  stream  (albeit  one 
that  changes  each  time  a message  is  encrypted).  We  thus  see  that  even  using 
CP  A- secure  encryption  is  not  enough  to  prevent  message  tampering. 

One  may  hope  that  attacking  ECB-  or  CBC-mode  encryption  would  be 
more  difficult  since  decryption  in  these  cases  involves  inverting  a strong  pseu- 
dorandom function  E,  and  we  expect  that  F^^{x)  and  F^^{x')  will  be  com- 
pletely uncorrelated  even  if  x and  x'  differ  in  only  a single  bit.  (Of  course  ECB 
mode  does  not  even  guarantee  the  most  basic  notion  of  privacy,  but  that  does 
not  matter  for  the  present  discussion.)  Nevertheless,  single-bit  modifications 
of  a ciphertext  still  cause  reasonably  predictable  changes  in  the  plaintext. 
For  example,  when  using  ECB  mode,  flipping  a bit  in  the  Rh  block  of  the 
ciphertext  affects  only  the  Rh  block  of  the  plaintext  — all  other  blocks  re- 
main unchanged.  Though  the  effect  on  the  zth  block  of  the  plaintext  may 
be  impossible  to  predict,  changing  that  one  block  (while  leaving  everything 
else  unchanged)  may  represent  a harmful  attack.  Similarly,  when  using  CBC 
mode,  flipping  the  jth  bit  of  the  IV  changes  only  the  jth  bit  of  the  first  mes- 
sage block  mi  (since  mi  :=  Ffc(ci)  0 IV',  where  IV'  is  the  modified  IV)]  all 
plaintext  blocks  other  than  the  first  remain  unchanged  (since  the  Rh  block 
of  the  plaintext  is  computed  as  mi  :=  Fj^^(ci)  0 Ci_i,  and  blocks  Ci,  d-i 
have  not  been  modified).  To  make  things  worse,  the  order  of  blocks  in  ECB 
can  be  changed  (without  garbling  any  block),  a,nd  the  first  block  of  a CBC- 
encrypted  message  can  be  tampered  with  arbitrarily  as  with  a stream  cipher. 
This  integrity  attack  on  CBC-mode  is  particularly  troublesome  because  the 
first  block  of  a message  often  contains  highly  irhportant  header  information. 

Finally,  we  point  out  that  all  encryption  schemes  we  have  seen  thus  far 
have  the  property  that  every  possible  ciphertext  (perhaps  satisfying  some 
length  constraint)  corresponds  to  some  valid  message.  So  it  is  trivial  for  an 
adversary  to  “spoof”  a message  on  behalf  of  one  of  the  communicating  parties 
— by  sending  some  arbitrary  ciphertext  — even  if  the  adversary  has  no  idea 
what  the  underlying  message  will  be.  As  we  will  see  when  we  formally  define 
authenticated  communication,  even  an  attack  of  this  sort  should  be  ruled  out. 
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4.3  Message  Authentication  Codes  — Definitions 

As  we  have  seen,  encryption  does  not  solve  the  problem  of  message  au- 
thentication. Rather,  an  additional  mechanism  is  needed  that  will  enable  the 
communicating  parties  to  know  whether  or  not  a message  was  tampered  with. 
Such  mechanisms  are  called  message  authentication  codes. 

The  aim  of  a message  authentication  code  is  to  prevent  an  adversary  from 
modifying  a message  sent  by  one  party  to  another,  without  the  parties  detect- 
ing that  a modification  has  been  made.  As  in  the  case  of  encryption,  this  is 
only  possible  if  the  communicating  parties  have  some  secret  that  the  adversary 
does  not  know  (otherwise  nothing  can  prevent  an  adversary  from  imperson- 
ating the  party  sending  the  message).  Here,  we  will  continue  to  consider  the 
private-key  setting  where  the  parties  share  the  same  secret  key. 

The  syntax  of  a message  authentication  code.  Before  formally  defining 
security  of  a message  authentication  code  (MAC),  we  first  define  what  a MAC 
is  and  how  it  is  used.  Two  users  who  wish  to  communicate  in  an  authenticated 
manner  begin  by  generating  and  sharing  a secret  key  k in  advance  of  their 
communication.  When  one  party  wants  to  send  a message  m to  the  other,  she 
computes  a MAC  tag  (or  simply  a tag)  t based  on  the  message  and  the  shared 
key,  and  sends  the  message  m along  with  the  tag  t to  the  other  party.  The  tag 
is  computed  using  a tag- generation  algorithm  that  will  be  denoted  by  Mac; 
rephrasing  what  we  have  already  said,  the  sender  of  a message  m computes 
t ^ MaCfc(m)  and  transmits  (m,  t)  to  the  receiver.  Upon  receiving  (m,  t),  the 
second  party  verifies  whether  t is  a valid  tag  on  the  message  m (with  respect 
to  the  shared  key)  or  not.  This  is  done  by  running  a verification  algorithm 
Vrfy  that  takes  as  input  the  shared  key  as  well  as  a message  m and  a tag  t, 
and  indicates  whether  the  given  tag  is  valid.  Formally: 

DEFINITION  4.1  A message  authentication  code  (or  MAC)  is  a tuple  of 
probabilistic  polynomial-time  algorithms  (Gen,  Mac,  Vrfy)  such  that: 

1.  The  key-generation  algorithm  Gen  takes  as  input  the  security  parameter 
1”  and  outputs  a key  k with  |A:|  > n. 

2.  The  tag-generation  algorithm  Mac  takes  as  input  a key  k and  a message 
m € {0, 1}*,  and  outputs  a tag  t.  Since  this  algorithm  may  be  random- 
ized, we  write  this  as  t <—  Macfc(m). 

3.  The  verification  algorithm  Vrfy  takes  as  input  a key  k,  a message  m,  and 

a tag  t.  It  outputs  a bit  b,  with  6 = 1 meaning  valid  and  6 = 0 meaning 
invalid.  We  assume  without  loss  of  generality  that  Vrfy  is  deterministic, 
and  so  write  this  as  6 ;=  Vrfy^^ (m,  t) . ^ 


Message  Authentication  Codes  and  Collision- Resist  ant  Hash  Functions  115 

It  is  required  that  for  every  n,  every  key  k output  by  Gen(l”'),  and  every 
m e {0, 1}*,  it  holds  that  Vrfyj^(m,  Mac^  (m))  = 1. 

If  (Gen,  Mac,  Vrfy)  is  such  that  for  every  k output  by  Gen(l”),  algorithm 
Macfc  is  only  defined  for  rnessages  m e {0,  (anc?  Vrfy outputs  0 for  any 

m ^ {0,1}^*^”^),  then  we  say  that  (Gen,  Mac,  Vrfy)  is  a fixed-length  MAC  for 
messages  of  length  £{n). 

As  with  private-key  encryption,  it  is  almost  always  the  case  that  Gen(l”) 
chooses  k {0, 1}”  uniformly  at  random. 

Security  of  message  authentication  codes.  We  now  define  the  notion 
of  security  for  message  authentication  codes.  (Thankfully,  in  contrast  to  the 
case  of  private-key  encryption,  there  is  only  one  generally- accepted  definition 
of  security  in  this  context.)  The  intuitive  idea  behind  the  definition  of  security 
is  that  no  polynomial-time  adversary  should  be  able  to  generate  a valid  tag 
on  any  “new”  message  that  was  not  previously  sent  (and  authenticated)  by 
one  of  the  communicating  parties. 

As  with  any  security  definition,  to  formalize  this  notion  we  have  to  define 
both  the  adversary’s  power  as  well  as  what  should  be  considered  a “break” . 
As  usual,  we  consider  only  probabilistic  polynomial-time  adversaries^  and  so 
the  real  question  with  regard  to  the  power  of  the  adversary  is  how  we  model 
the  adversary’s  interaction  with  the  communicating  parties.  In  the  setting  of 
message  authentication,  an  adversary  observing  the  communication  between 
the  honest  parties  will  be  able  to  see  all  the  messages  sent  by  these  parties 
along  with  their  corresponding  MAC  tags.  The  adversary  may  also  be  able  to 
influence  the  content  of  these  messages,  either  indirectly  (if  external  actions 
of  the  adversary  affect  the  messages  sent  by  the  parties) , or  directly.  As  an 
example  of  the  latter,  consider  the  case  where  the  adversary  is  the  personal 
assistant  of  one  of  the  parties  and  has  significant  control  over  what  messages 
this  party  sends. 

To  formally  model  the  above  possibilities,  we  allow  the  adversary  to  request 
MAC  tags  for  any  messages  of  its  choice.  Formally,  we  give  the  adversary 
access  to  a MAC  oracle  MaCfc(-);  the  adversary  can  submit  any  message  m 
that  it  likes  to  this  oracle,  and  is  given  in  return  a tag  t Macfc(m). 

We  will  consider  it  a “break”  of  the  scheme  if  the  adversary  is  able  to  out- 
put any  message  m along  with  a tag  t such  that:  (1)  t is  a valid  tag  on  the 
message  m (i.e.,  Vrfy^(m,  t)  = 1)  and  (2)  the  adversary  had  not  previously 
requested  a MAC  tag  on  the  message  m (i.e.,  from  its  oracle).  Adversarial 
success  in  the  first  condition  means  that,  in  the  real  world,  if  the  adversary 
were  to  send  (rn,t)  to  one  of  the  honest  parties,  then  this  party  would  be 


^As  noted  in  the  “References  and  Additional  Reading”  section  of  Chapter  2,  notions  of 
perfectly-secure  message  authentication  — where  no  computational  restrictions  are  placed 
on  the  adversary  — can  also  be  considered.  As  in  the  case  of  perfectly-secret  encryption, 
however,  perfectly-secure  MACs  suffer  from  severe  bounds  on  their  efficiency  that  limit 
t^eir  usefulness  in  practice. 
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mistakenly  fooled  into  thinking  that  m originated  from  the  legitimate  party 
(since  Vrfy;^(m,  t)  = 1).  The  second  condition  is  required  because  it  is  always 
possible  for  the  adversary  to  just  copy  a message  and  MAC  tag  that  was  previ- 
ously sent  by  the  legitimate  parties  (and,  of  course,  these  would  be  accepted). 
Such  an  adversarial  attack  is  called  a replay  attack  and  is  not  considered  a 
“break”  of  the  message  authentication  code.  This  does  not  mean  that  replay 
attacks  are  not  a security  concern;  they  are,  and  we  will  have  more  to  say 
about  this  further  below. 

A MAC  satisfying  the  level  of  security  specified  above  is  said  to  be  exis- 
tentially unforgeahle  under  an  adaptive  chosen-message  attack.  “Existential 
unforgeability”  refers  to  the  fact  that  the  adversary  must  not  be  able  to  forge 
a valid  tag  on  any  message,  and  “adaptive  chosen-message  attack”  refers  to 
the  fact  that  the  adversary  is  able  to  obtain  MAC  tags  on  any  message  it 
likes,  where  these  messages  may  be  chosen  adaptively  during  its  attack. 

Toward  the  formal  definition,  consider  the  following  experiment  for  a mes- 
sage authentication  code  11=  (Gen,Mac,Vrfy),  an  adversary  A,  and  value  n 
for  the  security  parameter: 

The  message  authentication  experiment  Mac-forge^  j^(n): 

1.  A random  key  k is  generated  by  running  Gen(l”). 

2.  The  adversary  A is  given  input  1”  and  oracle  access  to  MaC)t(-)- 
The  adversary  eventually  outputs  a pair  (m,  t) . Let  Q denote 
the  set  of  all  queries  that  A asked  to  its  oracle. 

3.  The  output  of  the  experiment  is  defined  to  be  1 if  and  only  if 
(1)  Vrfyjt(m,  t)  = 1 and  (2)  m ^ Q. 

We  define  a MAC  to  be  secure  if  no  efficient  adversary  can  succeed  in  the 
above  experiment  with  non-negligible  probability. 

DEFINITION  4.2  A message  authentication  code  II  = (Gen,  Mac,  Vrfy)  is 
existentially  unforgeable  under  an  adaptive  chosen- message  attack,  or  just  secure, 
if  for  all  probabilistic  polynomial-time  adversaries  A,  there  exists  a negligible 
function  negl  such  that: 

Pr[Mac-forge^  n(n)  = 1]  < negl(n). 

Is  the  definition  too  strong?  The  above  definition  is  rather  strong,  in  two 
respects.  First,  the  adversary  is  allowed  to  request  a MAC  tag  for  any  message 
of  its  choice.  Second,  the  adversary  is  considered  to  have  “broken”  the  scheme 
if  it  can  output  a valid  tag  on  any  previously-unauthenticated  message.  One 
might  object  that  both  of  these  components  of  the  definition  are  unrealistic 
and  overly  strong:  in  “real-world”  usage  of  a MAC,  the  honest  parties  would 
only  authenticate  “meaningful”  messages  (over  which  the  adversary  might 
have  only  limited  control) , and  similarly  it  should  only  be  considered  a breach 
of  security  if  the  adversary  can  forge  a valid  tag  on  a “meaningful”  message. 
Why  not  tailor  the  definition  to  capture  this? 
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The  crucial  point  is  that  what  constitutes  a meaningful  message  is  en- 
tirely application- dependent.  While  some  applications  of  a MAC  may  *nly 
ever  authenticate  English-text  messages,  other  applications  may  authenticate 
spreadsheet  files,  others  database  entries,  and  others  raw  data.  Protocols 
may  also  be  designed  where  anything  will  be  authenticated  — in  fact,  certain 
protocols  for  entity  authentication  do  exactly  this.  By  making  the  definition 
of  security  for  MACs  as  strong  as  possible,  we  ensure  that  secure  MACs  are 
broadly  applicable  for  a wide  range  of  purposes,  without  having  to  worry 
about  compatibility  of  the  MAC  with  the  semantics  of  the  application. 


Replay  attacks.  We  emphasize  that  the  above  definition,  and  message  au- 
thentication codes  in  general,  offer  no  protection  against  replay  attacks  in 
which  a previously-sent  message  (and  its  MAC  tag)  are  replayed  to  one  of  the 
honest  parties.  Nevertheless,  replay  attacks  are  a serious  concern.  Consider 
the  following  scenario;  a user  Alice  sends  her  bank  an  order  to  transfer  $1,000 
from  her  account  to  Bob’s  account.  In  doing  so,  Alice  computes  a MAC  tag 
and  appends  it  to  the  message  so  that  the  bank  knows  that  the  message  is 
authentic.  If  the  MAC  is  secure.  Bob  will  be  unable  to  intercept  the  message 
and  change  the  amount  to  $10,000  (because  this  would  involve  forging  a valid 
tag  on  a previously-unauthenticated  message).  However,  nothing  prevents 
Bob  from  intercepting  Alice’s  message  and  replaying  it  ten  times  to  the  bank. 
If  the  bank  accepts  each  of  these  messages,  the  net  effect  is  that  $10,000  will 
be  transferred  to  Bob’s  account  rather  than  the  desired  $1,000. 

Despite  the  real  threat  due  to  replay  attacks,  a MAC  inherently  cannot 
protect  against  such  attacks  since  the  definition  of  a MAC  (Definition  4.1) 
does  not  incorporate  any  notion  of  state  into  the  verification  algorithm  (and 
so  every  time  a valid  pair  (m,  t)  is  presented  to  the  verification  algorithm,  it 
will  always  output  1).  Rather,  protection  against  replay  attacks  — if  such 
protection  is  necessary  at  all  — is  left  to  some  higher-level  application.  The 
reason  the  definition  of  a MAC  is  structured  this  way  is,  once  again,  because 
we  are  unwilling  to  assume  any  semantics  regarding  applications  that  use 
MACs;  in  particular,  the  decision  as  to  whether  or  not  a replayed  message 
should  be  treated  as  “valid”  is  considered  to  be  entirely  application-dependent. 

Two  common  techniques  for  preventing  replay  attacks  involve  the  use  of 
sequence  numbers  or  time-stamps.  The  basic  idea  of  the  first  approach  is 
that  each  message  m is  assigned  a sequence  number  i,  and  the  MAC  tag  is 
computed  over  the  concatenated  message  i\\m.  (Actually,  it  is  not  quite  this 
simple  since  the  concatenation  must  be  done  in  such  a way  that  i\\m  uniquely 
determines  i and  m,  but  we  gloss  over  such  details  in  this  high-level  overview.) 
It  is  assumed  here  that  the  sender  always  assigns  a unique  sequence  number 
to  each  message,  and  that  the  receiver  keeps  track  of  which  sequence  numbers 
it  has  already  seen.  Now,  any  successful  replay  of  a message  m will  have  to 
forge  a valid  MAC  tag  on  a new  concatenated  message  T||m,  where  i'  has 
never  been  used  before.  This  is  ruled  out  by  the  security  of  the  MAC. 


118 


A disadvantage  of  using  sequence  numbers  is  that  the  receiver  must  store 
a list  of  all  previous  sequence  numbers  it  has  received.  (Though  if  commu- 
nication is  occurring  in  a dedicated  session,  the  sender  can  simply  increment 
the  sequence  number  each  time  a message  is  sent,  and  the  receiver  need  only 
store  the  highest  sequence  number  previously  received.)  To  alleviate  this, 
time-stamps  are  sometimes  used  to  similar  effect.  Here,  the  sender  essentially 
appends  the  current  time  to  the  message  (say,  to  the  nearest  millisecond) 
rather  than  a sequence  number.  When  the  receiver  obtains  a message,  it 
checks  whether  the  included  time-stamp  is  within  some  acceptable  window  of 
the  current  time.  This  method  has  certain  drawbacks  as  well,  including  the 
need  for  the  sender  and  receiver  to  maintain  closely-synchronized  clocks,  and 
the  possibility  that  a replay  attack  can  still  take  place  as  long  as  it  is  done 
quickly  enough  (specifically,  within  the  acceptable  time  window). 

Further  discussion  about  preventing  replay  attacks  is  beyond  the  scope  of 
this  book,  but  can  be  found  in  any  good  book  on  Network  Security. 


4.4  Constructing  Secure  Message  Authentication  Codes 

Pseudorandom  functions  are  a natural  tool  for  constructing  secure  message 
authentication  codes.  Intuitively,  if  the  MAC  tag  t is  obtained  by  applying  a 
pseudorandom  function  to  the  message  m,  then  forging  a tag  on  a previously- 
unauthenticated  message  requires  the  adversary  to  guess  the  value  of  the 
pseudorandom  function  at  a “new”  point  (i.e.,  message).  Now,  the  probability 
of  guessing  the  value  of  a random  function  on  a . new  point  is  2"’^  (when  the 
output  length  of  the  function  is  n) . It  follows  that  the  probability  of  guessing 
such  a value  for  a pseudorandom  function  can  be  only  negligibly  greater. 


CONSTRUCTION  4.3 

Let  F be  a pseudorandom  function.  Define  a fixed-length  MAC  for 
messages  of  length  n as  follows: 

• Gen:  on  input  1”^,  choose  k ■*—  {0,1}”^  uniformly  at  random. 

• Mac:  on  input  a key  k G {0, 1}”^  and  a message' m G {0, 1}”^, 
output  the  tag  t :=  Fk{m).  (If  \m\  ^ jfc|  then  output  nothing;) 

• Vrfy:  on  input  a key  k G {0, 1}”^,  a message  m G {0, 1}”^,  and  a 

tag  t G {0, 1}”^,  output  1 if  and  only  if  t = Fk{m).  (If  |m|  7^  |fc|, 
then  output  0.) 

A fixed-length  MAC  from  any  pseudorandom  function. 

The  above  idea,  shown  in  Construction  4.3,  works  for  constructing  a secure 
MAC  for  fixed-length  messages.  This  is  already  useful,  though  it  falls  short  of 
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our  ultimate  goal.  We  will  see  later  in  this  section  that  any  fixed-length  MAC 
can  be  converted  into  a MAC  that  handles  messages  of  arbitrary  length. 

THEOREM  4.4  . If  F is  a pseudorandom  function,  then  Construction  f.3 
is  a fixed-length  MAC  for  messages  of  length  n that  is  existentially  unforgeable 
under  an  adaptive  chosen-message  attack. 

PROOF  The  intuition  behind  the  proof  of  this  theorem  was  described 
above,  and  so  we  turn  directly  to  the  details.  As  in  previous  uses  of  pseu- 
dorandom functions,  this  proof  follows  the  paradigm  of  first  analyzing  the 
security  of  the  scheme  using  a truly  random  function,  and  then  considering 
the  result  of  replacing  the  truly  random  function  with  a pseudorandom  one. 
Let  A be  a probabilistic  polynomial-time  adversary  and  define  £ as  follows: 

£{n)  Pr[Mac-forge^  j^(n)  = 1]. 

Consider  a message  authentication  code  n = (Gen,  Mac,  Vrfy)  which  is  the 
same  as  II  = (Gen,  Mac,  Vrfy)  in  Construction  4.3  except  that  a truly  random 
function  / is  used  instead  of  the  pseudorandom  function  Fk-  That  is,  Gen(l”) 
works  by  choosing  a random  function  / ■*—  Func„,  and  Mac  computes  a MAC 
tag  just  as  Mac  does  except  that  / is  used  instead  of  F^.  (Technically,  this  is 
not  a legal  MAC  because  it  is  not  efficient.  Nevertheless,  it  is  well-defined  for 
the  purposes  of  the  proof.)  . It  is  straightforward  to  see  that  

Pr[Mac-forge^  j^(n)  = 1]  <.  (4-1) 

because  for  any  message  m ^ Q,  the  value  t = f{m)  is  uniformly  distributed 
in  {d,  from  the  point  of  view  of  the  adversary  A. 

We  now  construct  a polynomial-time  distinguisher  D that  is  given  oracle 
access  to  some  function,  and  whose  goal  is  to  determine  whether  this  func- 
tion is  pseudorandom  (i.e.,  equal  to  F^  for  randomly-chosen  k •<—  {0,1}’^)  or 
random  (i.e.,  equal-to  / for  / ■«—  Func„).  To  do  this,  D emulates  the  message 
authentication  experiment  for  A in  the  manner  described  below,  and  observes 
whether  A succeeds  in  outputting  a valid  tag  on  a “new”  message.  If  so,  D 
guesses  that  its  oracle  must  be  a pseudorandom  function;  otherwise,  D guesses 
that  its  oracle  must  be  a random  function.  In  detail: 

Distinguisher  D: 

D is  given  input  1”  and  access  to  an  oracle  O : {0, ^ {0, 1}” 
and  works  as  follows: 

1.  Run  A(  1” ) . Whenever  A queries  its  MAC  oracle  on  a message 
m (i.e.,  whenever  A requests  a tag  on  a message  m),  answer 
this  query  in  the  following  way: 

• Query  O with  m and  obtain  response  t;  return  t to  A. 


t 
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2.  When  A outputs  {m,t)  at  the  end  of  its  execution,  do: 

(a)  Query  O with  m and  obtain  response  i. 

(b)  If  (1)  i = t and  (2)  A never  queried  its  MAC  oracle  on 
m,  then  output  1;  otherwise,  output  0. 

It  is  clear  that  D runs  in  polynomial  time. 

Notice  that  if  Ws  oracle  is  a pseudorandom  function,  then  the  view  of 
A when  run  as  a sub-routine  by  D is  distributed  identically  to  the  view  of 
A in  experiment  Mac-forge^  jj(n).  Furthermore,  D outputs  1 exactly  when 
Mac-forge^  jj(n)  = 1.  We  therefore  conclude  that 


Pr 


Pr  [Mac-forge^  n(’^)  = l]  = 


where  k f—  {0,  is  chosen  uniformly  at  random  in  the  above.  If  D’s  oracle 
is  a random  function,  then  the  view  of  A when  run  as  a sub-routine  by  D is 
distributed  identically  to  the  view  of  A in  experiment  Mac-forge^  n(^);  Q-iid 
again  D outputs  1 exactly  when  Mac-forge^  ^(n)  = 1.  Thus, 


Pr  = 1 


= Pr 


Mac-forge^  n(n) 


1 


where  / ^ Func„  is  chosen  uniformly  at  random  in  the  above.  Therefore, 


Pr 


j)F,(-)(in)  = ij  _ Pr 


1 


> £{n)  — 


1 


Since  F is  a pseudorandom  function,  it  follows  that  there  exists  a negligible 
function  negl  with  e(n)  — 2“’^  < negl(n).  We  then  have  £{n)  < negl(n)  +2"”, 
and  so  e is  negligible.  This  concludes  the  proof  that  Construction  4.3  is 
existentially  unforgeable  under  an  adaptive  chosen-message  attack.  I 


Extension  to  Variable-Length  Messages 

Construction  4.3  is  important  in  that  it  shows  a general  paradigm  for  con- 
structing secure  message  authentication  codes  based  on  pseudorandom  func- 
tions. Unfortunately,  the  construction  is  only  capable  of  dealing  with  fixed- 
length  messages  that  are  furthermore  rather  short.  These  limitations  are 
unacceptable  in  many  (if  not  most)  applications.^  We  show  here  how  a gen- 
eral (variable-length)  MAC  can  be  constructed  from  any  fixed-length  MAC 
for  messages  of  length  n.  The  construction  we  show  is  not  very  efficient  and  is 


^ Given  a pseudorandom  function  that  handles  variable-length  inputs,  Construction  4.3 
would  yield  a secure  MAC  for  messages  of  arbitrary  length.  Likewise,  a pseudorandom 
function  with  a longer,  but  fixed  domain,  would  yield  a secure  MAC  for  longer  messages. 
However,  existing  practical  pseudorandom  functions  (block  ciphers)  are  only  defined  for 
short,  fixed-length  inputs. 
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unlikely  to  be  used  in  practice.  Indeed,  far  more  efficient  constructions  of  se- 
cure variable-length  MACs  are  known  and  we  will  discuss  these  in  Sections  4.5 
and  4.7.  We  include  this  construction  for  its  simplicity  and  generality. 

Let  n'  = (Gen',  Mac',  Vrfy')  be  a secure  fixed-length  MAC  for  messages  of 
length  n (for  simplicity  we  assume  that  Gen'  chooses  a random  n-bit  key). 
Before  presenting  the  construction  of  a variable-length  MAC  based  on  II',  we 
rule  out  some  simple  ideas.  In  all  the  following  (and  the  secure  construction 
below),  the  basic  idea  is  to  break  the  message  m into  blocks  mi, . . . ,md 
and  authenticate  the  blocks  using  II'  in  some  way.  Consider  the  following 
suggestions; 

1.  XOR  all  the  bloeks  together  and  authentieate  the  result.  I.e.,  compute 
the  tag  t :=  Mac^(^^mi).  In  this  case,  an  adversary  can  forge  a valid 
tag  on  a new  message  by  changing  the  original  message  so  that  the  XOR 
of  the  blocks  does  not  change.  This  can  easily  be  done. 

2.  Authentieate  eaeh  bloek  separately.  I.e.,  compute  ti  :=  Mac^(mi)  and 
output  {ti, . . . ,td)  as  the  tag.  This  prevents  an  adversary  from  sending 
any  previously-unauthenticated  block  without  being  detected.  However, 
it  does  not  prevent  an  adversary  from  changing  the  order  of  the  blocks, 
and  computing  a valid  tag  on,  e.g.,  the  message  m^, . • . , m\  (something 
that  is  not  allowed  by  Definition  4.2). 

3.  Authentieate  eaeh  bloek  along  with  a sequenee  number.  I.e.,  compute 
ti  :=  MaCfc(y||mi)  and  output  {t\, . . . ,td)  as  the  tag.  This  prevents 
the  re-ordering  attack  described  above.  However,  the  adversary  is  not 
prevented  from  dropping  blocks  from  the  end  of  the  message  (since 
{t\, . . . ,td-i)  is  a valid  tag  on  the  message  m\, . . . ,md-i).  Further- 
more, the  adversary  can  mix-and-match  blocks  from  different  messages. 
That  is,  if  the  adversary  obtains  the  tags  (ti, . . . , td)  and  (t'^, . . . , t'^  on 
the  messages  m = mi , . . . , m^  and  m'  = m'l , , m^ , respectively,  it  can 
output  the  valid  tag  {t\,t2,  ts,  t'^, . . .)  on  the  message  tui,  m^,  ms,  m'^, . . . 

All  the  attacks  described  above  must.be  prevented  by  the  eventual  solution. 
This  is  achieved  by  including  additional  information  in  every  block.  Specif- 
ically, in  addition  to  including  a sequence  number  as  above,  we  also  include 
a random  “message  identifier”  that  prevents  blocks  from  different  messages 
from  being  combined.  Finally,  each  block  also  includes  the  length  of  the  mes- 
sage, so  that  blocks  at  the  end  of  the  message  cannot  be  dropped.  The  scheme 
is  shown  as  Construction  4.5.^ 


technicality  is  that  the  construction  is  only  defined  for  messages  of  length  £ < 

This  is  easy  to  fix  by  changing  Mac  so  it  outputs  ± when  £ > and  changing  Vrfy  so 

that  it  outputs  1 when  £ > 2”/'^.  Although  this  seems  “silly”,  a polynomial-time  adversary 
will  be  unable  to  output  a message  of  length  for  n large  enough,  and  so  security  still 

holds.  From  a practical  point  of  view  we  do  not  expect  honest  parties  to  ever  send  messages 
of  exponential  length,  and  so  the  original  construction  suffices. 
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CONSTRUCTION  4.5 

Let  n'  = (Gen',  Mac',  Vrfy')  be  a fixed-length  MAC  for  messages  of 
length  n.  Define  a MAC  as  follows: 

• Gen:  this  is  identical  to  Gen'. 

• Mac:  on  input  a key  k G {0,1}'^  and  a message  m G {0,1}*  of 

length  £ , parse  m into  d blocks  mi, . . . ,md,  each  of  length 

n/4.  (The  final  block  is  padded  with  Os  if  necessary.)  Next,  choose 
a random  identifier  r ^ {0, 1}'^'^^. 

For  i = 1, . . . ,d,  compute  U <—  Macfc(r||£||i||mi),  where  i and  £ are 
uniquely  encoded  as  strings  of  length  Finally,  output  the  tag 

t :=  . . ,td). 

• Vrfy:  on  input  a key  k G {0,1}'^,  a message  m G {0,1}*  of 

n 

length  £ < 24,  and  a tag  t = (r,  ti, . . . , trf/),  parse  m into 
d blocks  mi, . . . ,md,  each  of  length  n/4.  (The  final  block  is 
padded  with  Os  if  necessary.)  Output  1 if  and  only  if  d'  = d 
and  Vrfy^(r j|£||i||mi,  U)  = 1 for  1 < i < d. 

A variable-length  MAC  from  any  fixed-length  MAC. 

THEOREM  4.6  If  U'  is  a secure  fixed-length  MAC  for  messages  of 
length  n,  then  Construction  4-^  ^ ® MAC  that  is  existentially  unforgeable 
under  an  adaptive  chosen-message  attack. 


PROOF  The  intuition  is  that  as  long  as  II'  is  secure,  an  adversary  cannot 
introduce  a new  block  with  a valid  tag.  Furthermore,  the  extra  informa- 
tion included  in  each  block  prevents  the  various  attacks  (dropping  blocks, 
re-ordering  blocks,  etc.)  sketched  earlier.  We  stress  that  showing  that  known 
attacks  are  thwarted  is  far  from  a proof  of  security.  Rather,  we  will  rigorously 
prove  security  (and  essentially  will  show  that  the  above  attacks  are  the  “only” 
possible  ones). 

Let  n denote  the  MAC  given  by  Construction  4.5.  Let  ^ be  a probabilistic 
polynomial-time  adversary  and  define  e(-)  as  follows: 

e{n)  Pr[Mac-forge^ji(n)  = 1].  (4.2) 

Let  Repeat  denote  the  event  that  the  same  message  identifier  appears  in  two 
of  the  tags  returned  by  the  MAC  oracle  in  experiment  Mac-forge^  jj  (n).  If 
(m,  t = {r,t\, . . .))  denotes  the  final  output  of  A and  i denotes  the  length  of  m, 
let  Forge  denote  the  event  that  at  least  one  of  the  blocks.r||£||i||mi  was  never 
previously  authenticated  by  the  MAC  oracle,  yet  Vrfy^(r||^||i||mi,  ti)  = 1.  I.e., 
Forge  is  the  event  that  A was  able  to  output  a valid  tag  on  a “message”  that 
was  not  previously  authenticated  by  the  fixed-length  MAC  II'. 


'^Notice  that  i and  £ can  be  encoded  in  n/4  bits  because  i,£  < 2^/'^. 

1 
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We  have 

Pr[Mac-forge^  jj(n)  = 1]  = Pr[Mac-forge^  n(n)  = 1 A Repeat]  (4-3) 

+ Pr[Mac-forge^  jj(n)  = 1 A Repeat  A Forge] 

+ Pr[ Mac-forge^  jj(n)  = 1 A Repeat  A Forge]. 

We  now  show  that  Pr[ Mac-forge^  jj(n)  = lARepeat]  < Pr[Repeat]  is  negligible, 
and  that  Pr[Mac-forge^  = 1 A Repeat  A Forge]  = 0. 

CLAIM  4.7  There  is  a negligible  function  negl  with  Pr [Repeat]  < negl(n). 

Let  q{n)  be  the  number  of  MAC  oracle  queries  made  by  A.  To  answer  the 
zth  oracle  query  of  A,  the  oracle  chooses  r{  {0, 1}'^A  uniformly  at  random. 
The  probability  of  event  Repeat  is  exactly  the  probability  that  r{  = rj  for 
some  i ^ j.  Applying  the  “birthday  bound”  (Lemma  A.9),  as  discussed  in 

Appendix  A. 4,  we  have  that  Pr  [Repeat]  < (The  identifiers  are  chosen 

from  a set  of  size  [{0,  = 2”/'^.)  Since  A makes  only  polynomially-many 

queries,  this  value  is  negligible,  thereby  proving  the  claim. 


CLAIM  4.8  Pr[Mac-forge^  jj(n)  = 1 A Repeat  A Forge]  = 0. 

Say  Mac-forge^_j;i(^)  = 1 ^^*4  Repeat  does  not  occur;  we  show  that  this 
implies  Forge  occurs.  Recalling  that  (m,  t)  is  the  final  output  of  A,  let  i 
denote  the  length  of  m.  Parse  m into  d blocks  mi, . . . , m^,  each  of  length  n/4 
(padding  at  the  end  with  Os  if  necessary).  View  t as  t = (r,  ti,  . . . , td)]  since 
lyi  ac-fprge^  jj  (n)  = 1,  we  know  that  t contains  d +1  components.  We  have 
the  following  eases: 

1.  The  identifier  r is  different  from  all  the  identifiers  used  by  the  MAC  or- 
acle: This  implies  that  r|[^[|l||mi  was  never  previously  authenticated 
by  the  MAC  oracle.  Because  Mac-forge^  n(^)  = 4;  know  that 
Vrfy^(r||^||l||mi,  t\)  = 1.  Thus,  Forge  occurs  in  this  case. 

2.  The  identifier  r was  used  in  exactly  one  of  the  MAC  tags  obtained  by  A 
from  its  MAC  oracle:  Denote  by  m'  the  message  that  A queried  to  its 
oracle  for  which  the  reply  t'  contained  the  identifier  r.  Since  m ^ Q we 
have  m m' . Let  F be  the  length  of  m' . There  are  two  sub-cases  here: 

(a)  Case  1:  T ^ £.  Here  it  is  again  the  case  that  r[|^||l|[mi  was  never 
previously  authenticated  by  the  MAC  oracle.  (All  MAC  oracle 
responses  except  one  used  a different  identifier  r'  ^ r,  and  the 
one  oracle  response  that  used  the  same  identifier  r used  a different 
length  value  £'  A Since  Mac-forge^  ii(n)  = 1,  we  again  know 
that  Forge  occurs  in  this  case. 
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(b)  Case  2:  £'  — £.  Parse  m'  into  d blocks  , m'^  (since  £'  = £ 

the  number  of  blocks  in  m and  m'  is  the  same).  Because  m'  ^ m, 
there  must  exist  some  i with  rrii  ^ m^.  But  then  r||-^||i||mt  was 
never  previously  authenticated  by  the  MAC  oracle.  (All  MAC 
oracle  responses  except  one  used  a different  identifier  r'  ^ r;  the 
one  oracle  response  that  used  the  same  identifier  r used  a sequence 
number  i'  i in  all  blocks  but  one,  and  in  the  remaining  block  it 
used  m'  ^ rrii.)  Since  Mac-forge^  n(n)  = 1,  we  have  that  Forge 
occurs  in  this  case  as  well. 

3.  The  identifier  r was  used  in  more  than  one  of  the  MAC  tags  obtained 
by  A from  its  oracle:  This  cannot  occur  because  Repeat  did  not  occur. 

Noting  that  this  covers  all  possible  cases,  this  completes  the  proof  of  the  claim, 
and  is  really  the  heart  of  the  proof. 

Returning  to  Equation  (4.3)  and  using  the  previous  two  claims,  we  see  that 


Pr[Mac-forge^  n(n)  = 1 A Repeat  A Forge]  > £{n)  — negl(n). 

We  now  construct  a probabilistic  polynomial-time  adversary  A'  who  attacks 
the  fixed-length  MAC  II'  and  succeeds  in  outputting  a valid  forgery  on  a 
previously-unauthenticated  message  with  at  least  the  above  probability.  The 
construction  of  A'  is  the  obvious  one  and  so  we  describe  it  briefly:  A!  runs  A 
as  a sub- routine,  and  answers  the  request  by  A for  a MAC  tag  on  the  message 
m by  choosing  r {0, 1 itself,  parsing  m appropriately,  and  making  the 
appropriate  queries  to  its  own  MAC  oracle.  When  A outputs  (m,t),  with  m 
having  length  adversary  A£  parses  m as  mi, . . . , m^  and  t as  (r,  ti , . . . , td>) 
and  checks  for  a previously-unauthenticated  block  r||^||i||mt  (this  is  easy  to 
do  since  A£  can  keep  track  of  all  the  queries  it  makes  to  its  own  oracle) . If 
such  a block  exists,  A', outputs  (r||^||i||mt,  tf).  If  not.  A'  outputs  nothing 
A'  forges  a valid  MAC  tag  on  a previously-unauthenticated  message  (all 
with  respect  to  II')  whenever  Forge  occurs  and  so  whenever  A forges  a valid 
MAC  tag  on  a previously-unauthenticated  message  (with  respect  to  II).  It  is 
easy  to  see  that  the  view  of  A when  run  as  a sub-routine  by  A'  is  distributed 
identically  to  the  view  of  A in  experiment  Mac-forge^  n(n).  So, 

Pr[Mac-forge^/  n/ (n)  = 1]  = Pr[Mac-forge^  n(n)  = 1 A Forge] 

> Pr[Mac-forge^  n(n)  = 1 A Repeat  A Forge] 

> £{n)  — negl(n). 


By  security  of  II',  we  know  that  Pr[Mac-forge^/  n/ (n)  = 1]  must  be  negligible. 
This  implies  that  e must  be  negligible  as  well.  I 
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4.5  CBC-MAC 

Theorems  4.4  and  4.6,  taken  together,  show  that  it  is  possible  to  construct 
a secure  message  authentication  code  (for  messages  of  arbitrary  length)  given 
only  a pseudorandom  function  that  works  for  a fixed  input  length.  This 
demonstrates,  in  principle,  that  secure  MACs  can  be  constructed  from  block 
ciphers.  Unfortunately,  the  resulting  construction  is  extremely  inefficient:  to 
compute  a MAC  tag  on  a message  of  length  ^ • n,  it  is  necessary  to  apply  the 
block  cipher  4^  times,  and  the  MAC  tag  is  (4^  + l)n  bits  long.  Fortunately, 
it  is  possible  to  achieve  far  more  efficient  solutions. 

The  CBC-MAC  construction  is  similar  to  the  CBC  mode  of  encryption  and 
is  widely  used  in  practice.  As  in  Construction  4.5,  the  message  is  broken  up 
into  blocks,  and  a block  cipher  is  then  applied.  However,  in  order  to  compute 
a tag  on  a message  of  length  £ ■ n,  where  n is  the  size  of  a message  block,  the 
block  cipher  is  applied  only  i times.  More  importantly,  the  MAC  tag  is  now 
only  n bits  long  (i.e.,  a single  block).  We  begin  by  presenting  the  basic  CBC- 
MAC  construction  which  gives  a.  secure  fixed-length  MAC  (but  for  an  arbitrary 
length  set  in  advance) . We  caution  that  this  basic  scheme  is  not  secure  in  the 
general  case  where  messages  of  different  lengths  may  be  authenticated. 


CONSTRUCTION  4.9 

Let  F be  a pseudorandom  function,  and  fix  a length  function  i.  The 
basic  CBC-MAC  construction  is  as  follows: 

• Gen:  on  input  C,  choose  k <—  {0, 1}^  uniformly  at  random. 

• Mac:  on  input  a key  k € {0, 1}^  and  a message  m of  length  £{n)-n, 
do  the  following  (we  set  I = l{n)  in  what  follows); 

1.  Parse  m as,  m — mi, . . . , where  each  vm  is  of  length  n, 
and  set  to  :=  0”^. 

2.  For  i = 1 to  £,  set  U :=  Fk{ti-i  © mi). 

Output  tz  as  the  tag. 

• Vrfy:  on  input  a key  k G {0, 1}^,  a message  m of  length  £{n)  ■ n, 

7 

and  a tag  t of  length  n,  output  1 if  and  only  if  t = Macfc(m). 

CBC-MAC  for  fixed- length  messages. 

A graphical  depiction  of  Construction  4.9  (modified  to  handle  variable- 
length  messages,  as  discussed  subsequently)  is  given  in  Figure  4.1.  The  con- 
struction is  described  for  messages  whose  length  is  a multiple  of  n,  but  it 
is  possible  to  handle  messages  of  arbitrary  (but  fixed)  length  using  padding. 
The  security  of  this  construction  is  described  by  the  following  theorem: 
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THEOREM  4.10  Let  i he  a polynomial.  If  F is  a pseudorandom  function, 
then  Construction  4-9  is  a fixed-length  MAC  for  messages  of  length  I{n)  ■ n 
that  is  existentially  unforgeable  under  an  adaptive  chosen-message  attack. 

The  proof  of  Theorem  4.10  is  very  involved  and  is  therefore  omitted.  We 
stress  that  even  though  Construction  4.9  can  be  extended  in  the  obvious  way 
to  handle  messages  whose  length  is  an  arbitrary  multiple  of  n,  the  construction 
is  only  secure  when  the  length  of  the  messages  being  authenticated  is  fixed. 
That  is,  if  an  adversary  is  able  to  obtain  MAC  tags  for  messages  of  varying 
lengths,  then  the  scheme  is  no  longer  secure  (see  Exercise  4.8).  The  advantage 
of  this  construction  over  Construction  4.3,  which  also  gives  a fixed-length 
MAC,  is  that  the  present  construction  can  authenticate  much  longer  messages. 

CBC-MAC  vs.  CBC-mode  encryption.  There  are  two  differences  be- 
tween the  basic  CBC-MAC  and  the  CBC  mode  of  encryption: 

1 . CBC-mode  encryption  uses  a random  IV  and  this  is  crucial  for  obtaining 
security.  In  contrast,  CBC-MAC  uses  no  IV  (or  the  fixed  value  IV  = 0”) 
and  this  is  also  crucial  for  obtaining  security.  Specifically,  CBC-MAC 
using  a random  IV  is  not  secure. 

2.  In  CBC-mode  encryption  all  blocks  U (called  a in  the  case  of  CBC- 
mode  encryption)  are  output  by  the  encryption  algorithm  as  part  of  the 
ciphertext,  whereas  in  CBC-MAC  only  the  final  block  is  output.  This 
may  seem  to  be  a technical  difference  resulting  from  the  fact  that,  for 
the  case  of  encryption,  all  blocks  must  be  output  in  order  to  enable 
decryption,  whereas  for  a MAC  this  is  simply  not  necessary  and  so  is 
not  done.  However,  if  CBC-^MAC  is  modified, to  output  all  blocks  then 
it  is  no  longer  secure. 

In  Exercise  4.9  you  are  asked  to  verify  the  above.  This  is  a good  illustration 
of  the  fact  that  harmless-looking  modifications  to  cryptographic  constructions 
can  render  them  insecure.  It  is  crucial  to  always  implement  a cryptographic 
construction  exactly  as  specified,  and  not  to  introduce  any  variations  (unless 
you  can  prove  security  for  the  variant  scheme).  Furthermore,  it  is  crucial  to 
understand  the  construction.  For  example,  in  many  cases  a cryptographic 
library  provides  a programmer  with  a “CBC  function” , but  it  does  not  distin- 
guish between  the  use  of  this  function  for  encryption  or  for  message  authen- 
tication. 

Secure  CBC-MAC  for  Vciriable- length  messages.  In  order  to  obtain  a 
secure  version  of  CBC-MAC  for  variable-length  messages.  Construction  4.9 
must  be  modified.  This  can  be  done  in  a number  of  ways.  Three  possible 
options  that  can  be  proven  secure  are: 

1.  Apply  the  pseudorandom  function  (block  cipher)  to  the  length  i of  the 
input  message  in  order  to  obtain  a key  (i-e.,  set  :=  Fk[t)).  Then, 
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compute  the  basic  CBC-MAC  using  the  key  ki.  This  ensures  that  dif- 
ferent (and  computationally  independent)  keys  are  used  to  authenticate 
messages  of  different  lengths. 

2.  Prepend  the  message  with  its  length  \m\  (encoded  as  an  n-bit  string), 
and  then  compute  the  basic  CBC-MAC  on  the  resulting  message.  (This 
is  shown  in  Figure  4.1.)  We  stress  that  appending  the  block  length  to 
the  end  of  the  message  is  not  secure. 

3.  Change  the  scheme  so  that  key  generation  chooses  two  different  keys 

ki  {0, 1}”  and  k2  -s—  {0, 1}”.  Then,  to  authenticate  a message  m 
first  compute  the  basic  CBC-MAC  of  m using  ki  and  let  t be  the  result; 
output  the  tag  i :=  (t). 

The  third  option  has  the  advantage  that  it  is  not  necessary  to  know  the 
message  length  before  starting  to  compute  the  MAC.  Its  disadvantage  is  that 
it  requires  two  keys.  However,  at  the  expense  of  two  additional  applications 
of  the  pseudorandom  function,  it  is  possible  to  store  a single  key  k and  then 
derive  keys  ki  = Ffc(l)  and  k2  = Fk{2)  at  the  beginning  of  the  computation. 


t 

FIGURE  4.1:  A variant  of  CBC-MAC  secure  for  authenticating 

variable- length  messages. 


4.6  Collision-Resistant  Hash  Functions 

In  this  section  we  take  a brief  detour  from  our  discussion  of  message  authen- 
tication in  order  to  introduce  the  notion  of  collision-resistant  hash  functions. 
Such  functions  are  very  useful  throughout  cryptography,  and  are  introduced 
now  because  we  will  use  them  in  the  next  section  to  obtain  another  efficient 
construction  of  a MAC  for  variable-length  messages.  (Those  who  will  not 
cover  Section  4.7  can  defer  the  current  section  until  they  reach  Chapter  12.) 
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In  general,  hash  functions  are  just  functions  that  take  arbitrary-length 
strings  and  compress  them  into  shorter  strings.  The  classic  use  of  hash  func- 
tions is  in  data  structures,  where  they  can  be  used  to  achieve  0{1)  insertion 
and  lookup  times  for  storing  a set  of  elements.  Specifically,  if  the  range  of 
the  hash  function  H is  of  size  N ^ a table  of  length  N is  initialized.  Then, 
element  x is  stored  in  cell  H{x)  of  the  table.  In  order  to  retrieve  x,  it  suffices 
to  compute  H{x)  and  probe  that  cell  of  the  table  for  whatever  elements  are 
stored  there.  A “good”  hash  function  for  this  purpose  is  one  that  yields  as  few 
collisions  as  possible,  where  a collision  is  a pair  of  distinct  data  items  x and 
x'  for  which Tf(a:)  = H{x').  Notice  that  when  a collision  occurs,  two  elements 
end  up  being  stored  in  the  same  cell.  Therefore,  many  collisions  result  in  a 
higher-than-desired  retrieval  complexity.  In  short,  what  is  desired  is  that  the 
hash  function  spreads  the  elements  well  in  the  table,  thereby  minimizing  the 
number  of  collisions. 

Collision-resistant  hash  functions  are  similar  in  principle  to  those  used  in 
data  structures.  In  particular,  they  are  also  functions  that  compress  arbitrary- 
length  input  strings  into  output  strings  of  some  fixed  length.  As  in  data 
structures,  the  goal  is  to  avoid  collisions.  However,  there  are  fundamental 
differences  between  standard  hash  functions  and  collision-resistant  ones.  For 
one,  the  desire  to  minimize  collisions  in  the  setting  of  data  structures  becomes 
a mandatory  requirement  to  avoid  collisions  in  the  setting  of  cryptography. 
Furthermore,  in  the  context  of  data  structures  we  can  assume  that  the  set  of 
data  elements  is  chosen  independently  of  the  hash  function  and  without  any 
intention  to  cause  collisions.  In  the  context  of  cryptography,  in  contrast,  we 
need  to  be  concerned  with  an  adversary  who  may  select  elements  depending 
on  the  hash  function  with  the  explicit  goal  of  causing  collisions.  This  rneans 
that  the  requirements  on  hash  functions  used  in  cryptography  are  much  more 
stringent  than  the  analogous  requirements  in  data  structures,  and  collision- 
resistant  hash  functions  are  therefore  much  harder  to  construct. 

4.6.1  Defining  Collision  Resistance 

A collision  in  a function  R is  a pair  of  distinct  inputs  a:  and  x'  such  that. 
H (x)  = H{x')\  in  this  case  we  also  say  that  x and  x'  collide  under  H . A func- 
tion H is  collision  resistant  if  it  is  infeasible  for  any  probabilistic  polynomial- 
time algorithm  to  find  a collision  in  H . Typically  we  will  be  interested  iii 
functions  H that  have  an  infinite  domain  (e.g.,  they  take  as  input  strings  of 
all  possible  lengths)  and  a finite  range.  In  such  a case,  collisions  must  exist 
by  the  pigeon-hole  principle,  and  the  requirement  is  therefore  only  that  such 
collisions  should  be  “hard”  to  find.  We  will  sometimes  refer  to  functions  H 
for  which  both  the  input  domain  and  output  range  are  finite.  In  this  case, 
however,  we  will  only  be  interested  in  functions  that  compress  their  input, 
meaning  that  the  length  of  the  output  is  shorter  than  that  of  the  input.  Colli- 
sion resistance  is  trivial  to  achieve  if  compression  is  not  required:  for  example, 
the  identity  function  is  trivially  collision  resistant. 
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Formally,  we  will  deal  with  a family  of  hash  functions  indexed  by  a “key”  s. 
That  is,  H will  be  a two-input  function  that  takes  as  inputs  a key  s and  a 

string  X,  and  outputs  a string  H^{x)  H{s,x).  The  requirement  is  that  it 

must  be  hard  to  find  a collision  in  for  a randomly-generated  s.  The  key  s is 
not  a usual  cryptographic  key,  and  there  are  at  least  two  differences  from  our 
treatment  of  keyed  functions  in  the  context  of  pseudorandom  functions.  First, 
not  all  strings  necessarily  correspond  to  valid  keys  (i.e.,  may  not  be  defined 
for  certain  s),  and  therefore  the  key  s will  be  generated  by  an  algorithm  Gen 
rather  than  being  chosen  uniformly  at  random.  Second,  and  perhaps  more 
important,  this  key  s is  not  kept  secret.  Rather,  it  is  used  merely  to  specify 
a particular  function  from  the  family.  In  order  to  emphasize  the  fact  that 
s is  not  kept  secret,  we  superscript  the  key  and  write  rather  than  Hs- 

DEFINITION  4.11  A hash  function  is  a pair  of  probabilistic  polynomial- 
time algorithms  (Gen,iJ)  satisfying  the  following: 

• Gen  is  a probabilistic  algorithm  which  takes  as  input  a security  parameter 
1”  and  outputs  a key  s.  We  assume  that  W is  implicit  in  s. 

• There  exists . a polynomial  f such  that  H takes  as  input  a key  s and  a 
string  x e {0,1}*  and  outputs  a string  H^{x)  G {0,1}^*'’^^  {where  n is 
the  value  of  the  security  parameter  implicit  in  s). 

If  is  defined  only  for  inputs  x G {0, and  C{n)  > I{n),  then  we  say 
that  (Gen,  H)  is  a fixed-length  hash  function  for  inputs  of  length  C{n). 

In  the  fixed-length  ease  we  require  that  F be  greater  than  i.  This  ensures 
that  the  function  is  a hash  function  in  the  classic  sense  in  that  it  compresses  its 
input.  In  the  general  case  we  have  no  requirement  on  t because  the  function 
takes  as  input  all  (finite)  binary  strings,  and  so  in  particular  strings  that  are 
longer  than  f(n).  Thus,  by  definition,  it  also  compresses  (albeit  only  strings 
that  are  longer  than  I{n)). 

We  now  proceed  to  define  security.  As  usual,  we  first  define  an  experiment 
for  a hash  function  II  = (Gen,  iJ),  an  adversary  A,  and  a security  parameter  n: 

The  collision-finding  experiment  Hash-col 

1.  A key  s is  generated  by  running  Gen(l’^). 

2.  The  adversary  A is  given  s and  outputs  x,x' . {IfH  is  a fixed- 
length  hash  function  for  inputs  of  length  T{n)  then  we  require 
X,  x'  G (0, 1}^'^”").) 

3.  The  output  of  the  experiment  is  defined  to  be  1 if  and  only  if 
X ^ x'  and  H^{x)  = H^(x').  In  such  a case  we  say  that  A 
has  found  a collision. 
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The  definition  of  collision  resistance  states  that  no  efficient  adversary  can 
find  a collision  in  the  above  experiment  except  with  negligible  probability. 

DEFINITION  4.12  A hash  function  II  = (Ger\,H)  is  collision  resistant 
if  for  all  probabilistic  polynomial-time  adversaries  A there  exists  a negligible 
function  negl  such  that 

Pr  [Hash-coll^ji(n)  = 1]  < negl(n). 


Terminology:  For  simplicity,  we  refer  to  H,  and  II  = (Gen,  H)  as  “collision- 
resistant  hash  functions.”  This  should  not  cause  any  confusion. 

4.6.2  Weaker  Notions  of  Security  for  Hash  Functions 

Collision  resistance  is  a strong  security  requirement  and  is  quite  difficult 
to  achieve.  However,  in  some  applications  it  suffices  to  rely  on  more  relaxed 
requirements.  When  considering  cryptographic  hash  functions,  there  are  typ- 
ically three  levels  of  security  considered: 

1.  Collision  resistance:  This  is  the  strongest  notion  and  the  one  we  have 
considered  so  far. 

2.  Second  pre-image  resistance:  Informally  speaking,  a hash  function  is  sec- 
ond pre-image  resistant  if  given  s and  x it  is  infeasible  for  a probabilistic 
polynomial-time  adversary  to  find  x'  ^ x such  that  H^{x')  — H^(x). 

3.  Pre-image  resistance:  Informally,  a hash  function  is  pre-image  resistant 
if  given  s and  y = H^{x)  (but  not  x itself)  for  a randomly-chosen  x,  it  is 
infeasible  for  a probabilistic  polynomial-time  adversary  to  find  a value 
x'  such  that  H^{x')  — y.  (Looking  ahead  to  later  chapters  of  the  book, 
this  essentially  means  that  F?®  is  one-way.) 

We  do  not  formally  define  the  latter  two  notions  since  they  will  not  be  used 
in  this  book,  but  leave  this  task  as  an  exercise. 

Any  hash  function  that  is  collision  resistant  is  also  second  pre-image  re- 
sistant. Intuitively,  this  is  the  case  because  if  given  x an  adversary  can  find 
x'  A ^ for  which  = H^(x),  then  it  can  clearly  find  a colliding  pair  x 

and  x'  from  scratch.  Likewise,  any  hash  function  that  is  second  pre-image 
resistant  is  also  pre-image  resistant.  This  is  due  to  the  fact  that  if  it  were 
possible  to  invert  y and  find  an  x'  such  that  H^{x')  = y,  then  it  would  be 
possible  to  take  a given  input  x,  compute  y ;=  H^{x),  and  then  invert  y to 
obtain  x']  with  high  probability  x'  ^ x (relying  on  the  fact  that  H compresses, 
and  so  many  different  inputs  map  to  the  same  output)  in  which  case  a second 
pre-image  has  been  found.  (You  are  asked  to  formalize  the  above  arguments 
in  Exercise  4.10.)  We  conclude  that  the  above  three  security  requirements 
form  a hierarchy  with  each  definition  implying  the  one  below  it. 
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4.6.3  A Generic  “Birthday”  Attack 

Before  we  show  how  to  construct  collision-resistant  hash  functions,  we 
present  a generic  attack  that  finds  collisions  in  any  hash  function  (albeit 
in  time  that  is  exponential  in  the  hash  output  length).  This  attack  implies 
a minimal  output  length  needed  for  a hash  function  to  potentially  be  secure 
against  adversaries  running  for  a certain  time,  as  we  will  explain. 

Assume  we  are  given  a hash  function  H : {0, 1}*  ^ {0, 1}^.  (For  simplicity 
we  deal  with  hash  functions  taking  arbitrary-length  inputs,  though  a slight 
variant  of  the  attack  works  for  fixed-length  hash  functions  also.  We  omit  the 
key  s since  the  attack  here  applies  independently  of  any  key.)  The  attack 
works  as  follows:  Choose  q arbitrary  distinct  inputs  xi,...,Xg  e {0,1}^^, 
compute  yi  :=  H[xi),  and  check  whether  any  of  the  two  yi  values  are  equal. 

What  is  the  probability  that  this  algorithm  finds  a collision?  Clearly,  if 
q > 2^  this  occurs  with  probability  1.  However,  we  are  interested  in  the 
case  of  smaller  q.  It  is  somewhat  difficult  to  analyze  this  probability  exactly, 
and  so  we  will  instead  analyze  an  idealized  case  in  which  H is  treated  as  a 
random  function.®  That  is,  for  each  i we  assume  that  the  value  yi  = H{xi)  is 
uniformly  distributed  in  {0, 1}^  and  independent  of  any  of  the  previous  output 
values  {yj}j<i  (recall  we  assume  all  {xi}  are  distinct).  We  have  thus  reduced 
our  problem  to  the  following  one:  if  we  choose  values  yi,...,yg  ■«—  {0,1}^ 
uniformly  at  random,  what  is  the  probability  that  there  exist  distinct  i,j 
with  yi  = yj^ 

This  problem  has  been  extensively  studied,  and  is  related  to  the  so-called 
birthday  problem  discussed  in  detail  in  Appendix  A. 4.  For  this  reason,  the 
collision-finding  algorithm  we  have  described  is  often  called  a “birthday  at- 
tack.” The  birthday  problem  is  the  following:  if  q people  are  in  a room,  what 
is  the  probability  that  two  of  them  have  the  same  birthday?  (Assume  birth- 
days are  uniformly  and  independently  distributed  among  the  365  days  of  a 
non-leap  year.)  This  is  exactly  analogous  to  our  problem:  if  yi  represents  the 
birthday  of  person  i,  then  we  have  yi,  ■ ■ ■ ,yq  ^ {!,...,  365}  chosen  uniformly 
at  random.  Furthermore,  matching  birthdays  correspond  to  distinct  i,j  with 
y^  = yj  (i.e.,  matching  birthdays  correspond  to  collisions).  ! 

When  q = 0(2^/^),  the  probability  of  such  a collision  is  roughly  1/2.  In  the 
case  of  birthdays,  it  turns  out  that  if  there  are  only  23  people  in  the  room, 
the  probability  that  two  have  the  same  birthday  is  greater  than  1/2.  This  is 
proven  formally  in  Appendix  A. 4. 

Birthday  attacks  on  hash  functions  — summary.  If  the  output  length 
of  a hash  function  is  £ bits  then  the  birthday  attack  finds  a collision  with 
high  probability  using  0{q)  = (9(2^/^)  hash-function  evaluations  (by  sorting 
the  outputs,  a collision  can  be  found  — if  one  exists  — in  time  0{£  ■ 2^/^); 


^Actually,  it  can  be  shown  that  this  is  (essentially)  the  worst  case,  and  the  algorithm  finds 
collisions  with  higher  probability  if  H deviates  significantly  from  random. 
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for  simplicity,  we  assume  that  evaluating  H can  be  done  in  constant  time). 
We  therefore  conclude  that  for  the  hash  function  to  resist  collision-finding 
attacks  that  run  in  time  T,  the  output  length  of  the  hash  function  needs  to 
be  at  least  21ogT  bits.  When  considering  asymptotic  bounds  on  security, 
there  is  no  difference  between  a naive  attack  that  tries  2^  + 1 elements  and  a 
birthday  attack  that  tries  2^/^  elements:  if  ^(n)  = O(logn)  then  both  attacks 
run  in  polynomial  time,  but  if  £(n)  is  super-logarithmic  then  both  attacks 
do  not.  Nevertheless,  in  practice  birthday  attacks  make  a huge  difference. 
As  an  example,  assume  a hash  function  is  designed  with  output  length  of 
128  bits.  It  is  clearly  infeasible  to  run  2^^^  steps  in  order  to  find  a collision. 
However,  running  for  2®^  steps  is  within  the  realm  of  feasibility  (though  still 
rather  difficult).  Thus,  the  existence  of  generic  birthday  attacks  mandates 
that  any  collision-resistant  hash  function  in  practice  needs  to  have  output 
that  is  longer  than  128  bits.  We  stress  that  having  a long  enough  output  is 
only  a necessary  condition  for  meeting  Definition  4.12,  but  is  very  far  from 
being  a sufficient  one.  We  also  stress  that  birthday  attacks  work  only  for 
collision  resistance;  there  are  no  generic  attacks  on  hash  functions  for  second 
pre-image  or  pre- image  resistance  that  run  in  time  better  than  2^. 

Improved  birthday  attacks.  The  birthday  attack  described  above  has  two 
weaknesses.  First,  it  requires  a large  amount  of  memory.  Second,  the  attack 
gives  very  little  control  over  the  colliding- values.  It  is  possible  to  construct 
better  birthday  attacks  that  avoid  these  weaknesses. 

The  basic  birthday  attack  requires  the  attacker  to  store  all  q values  {yi\^ 
because  the  attacker  does  not  know  in  advance  which  pair  of  values  will  yield 
a collision.  This  is  a significant  drawback  because  memory  is,  in  general, 
a scarcer  resource  than  time.  For  an  illustrative  (but  completely  ad-hoc) 
example,  compare  2®*^  bytes  to  2®°  CPU  instructions:  2®°  bytes  is  about  1 
billion  gigabytes.  Using  the  largest  eommercially-available  storage  devices 
— that  hold  roughly  1,000  gigabytes  — means  that  1 million  such  devices 
would  be  needed.  In  contrast,  2®°  instructions  can  be  carried  out  in  about  2 
years  (assuming  a CPU  carrying  out  25  billion  instructions  per  second,  which 
represents  the  high  end  of  currently-available  personal  computers).  While 
this  is  a long  time  to  wait,  it  certainly  represents  a feasible  computation. 
Furthermore,  computations  of  this  complexity  have  actually  been  carried  out 
before  using  large  distributed  networks. 

We  see  that  a birthday-type  attack  becomes  much  more  feasible  if  its  space 
requirements  can  be  decreased.  In  fact,  it  is  possible  to  carry  out  a birthday- 
type  attack  with  similar  time  complexity  and  success  probability  as  before 
- but  using  only  a constant  amount  of  memory.  The  idea  is  to  take  a random 
initial  value  xq  and  then,  for  i > 0,  compute  the  values  Xi  :=  H{xi-i)  and 
X2i  :=  H{H{x2(i-i))).  In  each  step  the  values  Xi  a.nd,  X2i  are  compared;  if 
they  are  equal  then  Xi^i  and  H{x2{i-\))  are  a collision  (unless  they  happen 
to  be  equal;  which  occurs  with  negligible  probability  if  we  continue  to  model 
H as  a.  random  function).  The  key  point  is  that  the  memory  required  here 
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is  only  that  needed  to  store  the  values  Xi  and  X2i-  This  approach  can  be 
shown  to  give  a collision  with  probability  roughly  1/2  in  q = 0(2^/^)  steps; 
see  Section  8.1.2  for  analysis  of  a similar  idea  used  in  a different  context. 

The  second  weakness  that  we  mentioned  relates  to  the  lack  of  control  oyer 
the  colliding  messages  that  are  found.  Although  it  is  not  necessary  to  find 
“meaningful”  collisions  in  order  to  violate  the  formal  definition  of  collision 
resistance,  it  is  still  nice  to  see  that  birthday  attacks  can  find  “meaningful” 
collisions  too.  Assume  an  attacker  Alice  wishes  to  find  two  messages  x and 
x'  such  that  H{x)  = H(x'),  and  furthermore  the  first  message  x should  be 
a letter  from  her  employer  explaining  why  she  was  fired  from  work,  while 
the  second  message  x'  should  be  a flattering  letter  of  recommendation.  The 
birthday  attack  only  relies  on  the  fact  that  the  messages  xi^ . . . ,Xq  are  distinct, 
but  these  messages  do  not  need  to  be  random.  Thus,  we  can  carry  out  a 
birthday-type  attack  by  generating  q = 0(2^/^)  messages  of  the  first  type 
and  q messages  of  the  second  type,  and  then  looking  for  collisions  between 
messages  of  the  two  types.  It  may  seem  unlikely  that  this  can  be  done  for 
the  aforementioned  letters;  however,  a little  thought  shows  that  it  is  easy  to 
write  the  same  sentence  in  many  different  ways.  For  example,  consider  the 
following: 

It  is  hard/difficult/ challenging /impossible  to  imagine /believe  that 
we  will  find /locate /hire  another  employee /per  son  having  similar 
abilities/skills/ character  as  Alice.  She  has  done  a great/super  job. 

The  point  to  notice  is  that  any  combination  of  the  italicized  words  is  possible. 
Thus,  the  sentence  can  be  written  in  4-2-3-2-3-2  = 288  different  ways. 
This  is  just  one  sentence  and  so  it  is  actually  easy  to  write  a letter  that  can 
be  rewritten  in  2®^  different  ways  (you  just  need  64  words  with  one  synonym 
each) . Using  this  idea  it  is  possible  for  the  attacker  to  prepare  2^/^  letters 
explaining  why  the  attacker  was  fired  and  another  2^/^  letters  of  recommen- 
dation; with  good  probability,  a collision  between  the  two  types  of  letters 
will  be  found.  This  attack  does  require  a large  amount  of  memory  and  the 
low- memory  version  described  above  cannot  be  used  here. 

4.6.4  The  Merkle-Damgard  Transform 

We  now  present  an  important  methodology  called  the  Merkle-Damgard 
transform  that  is  widely  used  for  constructing  collision-resistant  hash  func- 
tions in  practice.  The  methodology  enables  a conversion  from  any  fixed-length 
hash  function  to  a full-fledged  hash  function  (i.e.,  one  handling  inputs  of  arbi- 
trary length)  while  maintaining  the  collision  resistance  property  (if  present)  of 
the  former.  This  means  that  when  designing  collision-resistant  hash  functions, 
we  can  restrict  our  attention  to  the  fixed-length  case.  This  in  turn  makes  the 
job  of  designing  practical  collision- resistant  hash  functions  much  easier.  In  ad- 
dition to  being  used  extensively  in  practice,  the  Merkle-Damgard  transform  is 
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interesting  from  a theoretical  point  of  view  since  it  implies  that  compressing 
by  a single  bit  is  as  easy  (or  as  hard)  as  compressing  by  an  arbitrary  amount. 

For  concreteness,  we  consider  the  case  that  we  are  given  a fixed-length 
collision-resistant  hash  function  that  compresses  its  input  by  half;  that  is, 
the  input  length  is  i'{n)  = 2£{n)  and  the  output  length  is  £{n).  In  Exer- 
cise 4.14  you  are  asked  to  generalize  the  construction  for  any  £'  > £.  We 
denote  the  fixed-length  collision-resistant  hash  function  by  (Gen,h)  and  use 
it  to  construct  a collision-resistant  hash  function  (Gen,H)  that  maps  inputs 
of  any  length  to  outputs  of  length  £{n).  (Gen  will  remain  unchanged.)  In 
much  of  the  literature,  the  fixed-length  collision-resistant  hash  function  is 
called  a compression  function.  The  Merkle-Damgard  transform  is  defined  in 
Construction  4.13  and  depicted  in  Figure  4.2. 


CONSTRUCTION  4.13 

Let  (Gen,  h)  be  a fixed-length  collision-resistant  hash  function  for  inputs 
of  length  2£{n)  and  with  output  length  £{n).  Construct  a variable-length 
hash  function  (Ger\,H)  as  follows: 

• Gen:  remains  unchanged. 

• H:  on  input  a key  s and  a string  a:  E {0,  1}*  of  length  L < 
do  the  following  (set  £ = £{n)  in  what  follows): 

1.  Set  S ;=  [ j]  (i-c.,  the  number  of  blocks  in  x).  Pad  x with 

zeroes  so  its  length  is  a multiple  of  £.  Parse  the  padded  result 
as  the  sequence  of  £-bit  blocks  x\, . . . , xb-  Set  :=  L, 

where  L is  encoded  using  exactly  £ bits. 

2.  Set  zq  :=  6^. 

3.  For  i=  1,. . . ,S-H  1,  compute  Zi  :=  h^{zi-\\\xi). 

4.  Output  zb+1- 

The  Merkle-Damgard  transform. 

We  limit  the  length  of  x to  be  at  most  — 1 so  that  its  length  L can  be 
encoded  as  an  integer  of  length  £{n).  See  footnote  3 for  an  explanation  as  to 
why  this  is  not  a limitation  in  either  a practical  or  a theoretical  sense. 

The  initialization  vector.  The  value  zq  used  in  step  2 of  Construction  4.13 
is  arbitrary  and  can  be  replaced  by  any  constant.  This  value  is  typically  called 
the  IV  or  initialization  vector. 

The  security  of  the  Merkle-Damgard  transform.  The  intuition  behind 
the  security  of  the  Merkle-Damgard  transform  is  that  if  two  different  strings  x 
and  x'  collide  in  , then  there  must  be  distinct  intermediate  values  Zi-\\\xi 
and  z[_.^\\x'^  in  the  computation  of  H^{x)  and  H^{x'),  respectively,  such  that 
{zi-i\\xi)  = \Wi).  Stated  differently,  a collision  in  can  only  occur 
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FIGURE  4.2:  The  Merkle-Damgard  transform. 


if  there  is  a collision  in  the  underlying  h^ . We  demonstrate  this  in  the  proof 
by  showing  that  if  such  a collision  in  h^  does  not  occur,  then  x must  equal 
x'  (in  contradiction  to  the  assumption  that  x and  x'  constitute  a collision  in 
H^).  We  now  proceed  to  the  formal  proof. 


THEOREM  4.14  If  (Gen,  h)  is  a fixed-length  collision-resistant  hash  func- 
tion, then  (Gen,H)  is  a collision-resistant  hash  function. 


PROOF  We  show  that  for  any  s,  a collision  in  yields  a collision  in  h^ . 
Let  X and  x'  be  two  different  strings  of  respective  lengths  L and  L'  such  that 
H^{x)  = H^{x').  Let  xi,...,xb  be  the  B blocks  of  the  padded  x,  and  let 
x'.^, . . . ,x'q,  be  the  B'  blocks  of  the  padded  x' . Recall  that  xs-i-i  = L and 
i — L' . There  are  two  cases  to  consider: 

1.  Case  1:  L ^ L' . In  this  case,  the  last  step  of  the  computation  of 
H^{x)  is  zb+1  •=  h^{zB\\L)  and  the  last  step  of  the  computation  of 
H^{x')  is  -25/4.1  :=  h^{zQ,\\L').  Since  H^{x)  = H^{x')  it  follows  that 
hA{zB\\L)  — h^ {z'^,\\L').  However,  L ^ L'  and  so  zb\\L  and  z'q,\\L'  are 
two  different  strings  that  collide  for  h^ . 

2.  Case  2:  L = L' . Note  this  means  that  B = B'  and  xb+i  = 

Let  Zi  and  2:^  be  the  intermediate  hash  values  of  x and  x'  during  the 
computation  of  H^{x)  and  H^{x'),  respectively.  Since  x ^ x'  but  |x|  = 
\x'\,  there  must  exist  at  least  one  index  i (with  1 <i  < B)  such  that 
Xi  x\.  Let  i*  < R + 1 be  the  highest  index  for  which  it  holds  that 
Zi*-i\\xi*  7^  2:^*_i . If  z*  = R + 1 then  zb\\xb+i  and  are 

two  different  strings  that  collide  for  h^  because 

h^{zB\\xB+l)  = ZB+1  = H%x)  = H^{x')  = -2^+1  = h^{z'B\\x'B+i). 

If  i*  < R,  then  maximality  of  i*  implies  Zi*  = z\*.  Thus,  once  again, 
Zi*^i\\xi*  and  z\*_-^\x\,  are  two  different  strings  that  collide  for  h^ . 

It  follows  that  any  collision  in  the  hash  function  R®  yields  a collision  in  the 
fixed-length  hash  function  h^ . It  is  straightforward  to  turn  this  into  a formal 
security  reduction,  and  we  leave  this  for  an  exercise.  | 
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4.6.5  Collision-Resistant  Hash  Functions  in  Practice 

As  in  the  case  of  pseudorandom  functions/permutations,  constructions  of 
collision-resistant  hash  functions  come  in  two  forms:  provably-secure  con- 
structions based  on  certain  number-theoretic  assumptions®  or  highly-efficient 
constructions  that  are  more  heuristic  in  nature.  We  shall  see  a construction 
of  the  former  type  in  Section  7.4.2.  For  now  we  turn  our  attention  to  the 
latter  type,  which  includes  those  hash  functions  that  are  used  exclusively  in 
practice. 

One  important  difference  between  collision-resistant  hash  functions  used  in 
practice  and  the  notion  as  we  have  presented  it  here  is  that  hash  functions  used 
in  practice  are  generally  unkeyed.  This  means  that  a fixed  hash  function  H 
is  defined,  and  there  is  no  longer  any  notion  of  a Gen  algorithm  generating 
a key  for  H (and,  indeed,  H takes  no  key).  Prom  a purely  theoretical  point 
of  view,  it  is  necessary  to  include  keys  in  any  discussion  of  collision-resistant 
hash  functions  since  it  is  difficult  to  define  a meaningful  notion  of  collision 
resistance  for  unkeyed  hash  functions.^  The  most  that  can  be  claimed  about 
an  unkeyed  hash  function  is  that  it  is  infeasible  to  come  up  with  an  algorithm 
that  runs  in  some  “reasonable”  amount  of  time  (say,  75  years)  and  finds  a 
collision  in  77.  In  practice,  this  sort  of  security  guarantee  is  enough. 

Even  on  a pragmatic  level,  keyed  hash  functions  have  advantages:  for  one, 
if  a collision  is  ever  found  in  an  unkeyed  function  H (say,  by  mounting  an 
exhaustive  search  taking  many  years)  then  H is  no  longer  collision  resistant  in 
any  meaningful  sense,  and  must  be  replaced.  If  H were  a keyed  function  then 
a collision  for  that  was  found  using  brute-force  search  does  not  necessarily 
make  it  any  easier  to  find  a collision  in  for  a freshly-generated  key  s'; 
thus,  H can  continue  to  be  used  as  long  as  the  key  is  updated.. 

Although  we  cannot  hope  to  prove  collision  resistance  for  the  hash  functions 
used  in  practice  (in  particular,  because  they  are  unkeyed),  this  does  not  mean 
that  we  do  away  with  proofs  altogether  when  using  such  hash  functions  within 
some  larger  construction.  Proofs  of  security  that  rely  on  collision  resistance  all 
show  that  if  the  construction  under  consideration  can  be  “broken”  by  some 
polynomial-time  adversary,  then  a collision  can  be  found  in  the  underlying 
hash  function  in  polynomial  time  (we  have  seen  one  such  example  when  we 
proved  security  of  the  Merkle-Damgard  transform).  When  considering  un- 
keyed functions,  this  could  be  translated  into  a statement  of  the  following 
form:  “if  an  adversary  breaks  the  given  construction  in  some  amount  of  time. 


® Interestingly,  the  assumptions  currently  needed  to  construct  collision-resistant  hash  func^ 
tions  are  stronger  than  those  needed  to  construct  pseudorandom  permutations,  and  there 
is  some  indication  that  this  might  be  inherent. 

^To  get  a sense  for  the  technical  problem,  let  x,  x'  be  a collision  for  the  fixed  hash  function 
H (if  H handles  inputs  longer  than  its  output  length  then  such  x,x'  surely  exist).  Now, 
consider  the  (constant-time)  algorithm  that  simply  outputs  x and  x' . Such  an  algorithm 
finds  a collision  in  H with  probability  1.  Note  that  an  analogous  algorithm  that  outputs  a 
collision  in  for  a randomly -chosen  (rather  than  fixed)  key  s does  not  exist. 
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then  it  is  possible  to  find  a collision  in  the  hash  function  in  a similar®  amount 
of  time” . If  we  believe  that  it  is  hard  to  find  a collision  in  the  given  hash  func- 
tion in  any  reasonable  amount  of  time,  then  this  gives  a reasonable  security 
guarantee  for  the  larger  construction. 

Coming  back  to  practical  constructions,  the  “birthday  attack”  discussed 
previously  gives  a lower  bound  on  the  output  length  of  a hash  function  that  is 
required  in  order  to  achieve  some  level  of  security:  if  the  hash  function  should 
be  collision  resistant  against  adversaries  running  in  time  2^,  then  the  output 
length  of  the  hash  function  should  be  at  least  bits.  Good  collision-resistant 
hash  functions  in  practice  have  an  output  length  of  at  least  160  bits,  meaning 
that  a birthday  attack  would  take  time  2®°,  something  out  of  reach  today. 

Two  popular  hash  functions  are  MD5  and  SHA-1.  (As  discussed  below, 
due  to  recent  attacks  MD5  is  no  longer  secure  and  should  not  be  used  in  any 
application  requiring  collision  resistance.  We  include  it  here  because  MD5  is 
still  used  in  legacy  code.)  Both  MD5  and  SHA-1  first  define  a compression 
function  that  compresses  fixed-length  inputs  by  a relatively  small  amount 
(in  our  terms,  this  compression  function  is  a fixed-length  collision-resistant 
hash  function).  Then  the  Merkle-Damgard  transform  (or  something  very 
similar)  is  applied  to  the  compression  function  in  order  to  obtain  a collision- 
resistant  hash  function  for  arbitrary-length  inputs.  The  output  length  of  MD5 
is  128  bits  and  that  of  SHA-1  is  160  bits.  The  longer  output  length  of  SHA-1 
makes  the  generic  “birthday  attack”  more  difficult:  for  MD5,  a birthday  attack 
requires  = 2®^  hash  computations,  while  for  SHA-1  such  an  attack 

requires  ~ = 2®°  hash  computations. 

In  2004,  a team  of  Chinese  cryptanalysts  presented  a breakthrough  attack 
on  MD5  and  a number  of  related  hash  functions.  Their  technique  for  finding 
collisions  gives  little  control  over  the  collisions  that  are  found;  nevertheless,  it 
was  later  shown  that  their  method  (and  in  fact  any.method,  that  finds  “random 
collisions” ) can  be  used  to  find  collisions  between,  for  example,  two  postscript 
files  generating  whatever  viewable  content  is  desired.  A year  later,  the  Chinese 
team  showed  (theoretical)  attacks  on  SHA-1  that  would  find  collisions  using 
less  time  than  that  required  by  a generic  birthday  attack.  The  attack  on 
SHA-1  requires  time  2®®  which  lies  outside  the  current  range  of  feasibility;  as 
of  yet,  no  explicit  collision  in  SHA-1  has  been  found.  (This  is  in  contrast  to 
the  attack  on  MD5,  which  finds  collisions  in  minutes.) 

These  attacks  have  motivated  a shift  toward  stronger  hash  functions  with 
larger  outputs  lengths  which  are  less  susceptible  to  the  known  set  of  attacks  on 
MD5  and  SHA-1.  Notable  in  this  regard  is  the  SHA-2  family,  which  extends 
SHA-1  and  includes  hash  functions  with  256-  and  512-bit  output  lengths.  An- 
other ramification  of  the  attacks  is  that  there  is  now  great  interest  in  designing 
new  hash  functions  and  developing  a new  hash  standard. 


® Actually,  this  is  not  always  the  case:  in  some  proofs,  an  adversary  running  for  some  time  t 
that  “breaks”  the  construction  is  translated  into  an  adversary  running  for  much  longer  time 
(say,  F)  that  finds  a collision.  In  this  case  the  security  guarantee  may  not  be  very  useful. 
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4.7  * NMAC  and  HMAC 

Until  now  we  have  seen  constructions  of  message  authentication  codes  that 
are  based  on  pseudorandom  functions  (or  block  ciphers) . A different  approach 
is  taken  in  the  NMAC  and  HMAC  constructions  which  are  based  on  collision- 
resistant  hash  functions  constructed  using  the  Merkle-Damgard  transform  ap- 
plied to  some  underlying  compression  function  (where  a compression  function 
is  the  popular  term  in  this  context  for  a fixed-length  collision-resistant  hash 
function).  Most  known  collision -resistant  hash  functions  are  constructed  in 
this  way  and  so  NMAC  and  HMAC  have  wide  applicability.  Loosely  speaking, 
the  security  of  NMAC  and  HMAC  relies  on  the  assumption  that  — in  addition 
to  collision  resistance  — the  compression  function  has  certain  pseudorandom 
properties.  This  assumption  is  believed  to  be  true  of  the  compression  func- 
tions used  in  most  practical  hash  functions.  Below,  we  discuss  more  precisely 
the  assumptions  required  of  the  compression  function. 

In  the  next  section  we  describe  NMAC  and  briefly  discuss  its  security.  We 
then  present  HMAC,  which  can  be  viewed  as  a special  case  of  NMAC.  As 
usual,  our  descriptions  of  the  constructions  are  not  complete.  In  particular, 
we  do  not  specify  how  the  input  messages  are  padded  before  the  computation 
begins. 

Notation  — the  IV  in  Merkle-Damgard.  In  this  section  we  will  explicitly 
refer  to  the  IV  used  in  the  Merkle-Damgard  transform  of  Construction  4.13; 
recall  that  this  is  the  (fixed)  value  assigned  to  zq.  In  the  standard  Merkle- 
Damgard  construction,  the  IV  is  fixed  to  an  arbitrary  constant;  here,  however, 
we  will  wish  to  vary  it.  We  denote  by  Hjy{x)  the  computation  of  Construc- 
tion 4.13  on  input  x with  key  s,  and  with  zq  set  to  the  value  IV  e {0, 1}^. 

4.7.1  Nested  MAC  (NMAC) 

Let  H he  a hash  function  constructed  using  the  Merkle-Damgard  transform 
applied  to  the  compression  function  h.  For  simplicity,  we  let  n denote  the 
output  length  of  H and  h (rather  than  i{n)  as  before),  and  we  continue  to 
assume  that  h compresses  its  input  by  half.  The  first  step  in  the  construction 
of  NMAC  is  to  define  secretly -keyed  versions  of  the  compression  and  hash 
functions.  Let  s be  a fixed,  non-secret  key  and  define  a secretly-keyed  version 
of  by  hf.{x)  = h^{k\\x).  That  is,  the  secretly-keyed  compression  function 
works  by  applying  the  unkeyed  compression  function  to  the  concatenation 
of  the  secret  key  k and  the  message.  Define  to  be  the  hash  function 
obtained  by  setting  IV  = k in  the  Merkle-Damgard  construction.  (This  is 
consistent  with  the  notation  introduced  above  for  Hfy{x).)  Note  that  in  the 
first  iteration  of  the  Merkle-Damgard  transform,  the  value  z\  :=  h^{IV\\x\) 
is  computed.  Here  IV  = k and  so  we  obtain  that  z\  = h^{k\\xi)  = hf.{xi). 
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FIGURE  4.3:  NMAC. 

We  are  now  ready  to  define  NMAC.  In  words,  NMAC  works  by  first  applying 
a secretly-keyed  collision-resistant  hash  function  to  the  input  m,  and 
then  applying  a secretly-keyed  compression  function  h%^  to  the  result.  (See 
Construction  4.15  and  Figure  4.3.)  is  called  the  inner  function  and 
is  called  the  outer  function. 


CONSTRUCTION  4.15 

Let  (Gen,  h)  be  a fixed-length  collision-resistant  hash  function,  and  let 
(Gen,  H)  be  the  result  of  applying  the  Merkle-Damgard  transform  to 
(Gen,  h).  NMAC  defines  a MAC  as  follows: 

• Gen:  on  input  1”,  run  Gen(l”)  to  obtain  a key  s.  Also  choose 

k^  ,k9,  {0, 1}”  at  random.  Output  the  key  (s,fci,  /C2). 

• Mac:  on  input  a key  (s,ki,k2)  and  a message  m G {0, 1}*,  output 
the  tag  t :=  h%^ 

• Vrfy:  on  input  a key  (s,  fci,  /C2),  a message  m G {0, 1}*,  and  a tag 
t,  output  1 if  and  only  if  t = Macs,fc;^,fc2  (m).. 

Nested  MAC  (NM AC) . : 

The  security  of  NMAC  relies  on  the  assumption  that  hf.  with  key  k con- 
stitutes a secure  MAC.  Formally,  given  a fixed-length  hash  function  (Gen,  /i), 
define  the  fixed-length  message  authentication  code  II  = (Gen,  Mac,  Vrfy)  for 
messages  of  length  n as  follows:  Gen (1”)  runs  Gen(l”)  to  obtain  s and  also 
picks  a key  k {0,1}”  uniformly  at  random;  the  key  is  (s, /c).  Then  set 

MaCs,fc(7n)  h%{m)  for  m G {0, 1}”,  and  define  Vrfy  in  the  natural  way.  We 
say  that  (Gen,/?,)  yields  a secure  MAC  if  II  defined  in  this  way  is  a secure 
fixed-length  MAC. 
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THEOREM  4.16  Let  (Gen,  H)  denote  the  Merkle-Damgdrd  transform  ap- 
plied to  (Gen,/i).  If  (Gen, /i)  is  collision  resistant  and  yields  a secure  MAC 
(as  defined  above),  then  NMAC  is  existentially  unforgeable  under  an  adaptive 
chosen-message  attack  (for  arbitrary -length  messages) . 

Essentially,  the  NMAC  construction  first  hashes  the  message  m to  be  au- 
thenticated (using  a collision-resistant  hash  function)  and  then  applies  a fixed- 
length  message  authentication  code  to  the  result  (where  this  MAC  is  also 
based  on  the  same  hash  function).  It  is  analogous  to  the  “hash-and-sign” 
approach  discussed  extensively  in  Section  12.4,  and  we  therefore  content 
ourselves  here  with  merely  sketching  the  ideas  behind  the  proof  of  security 
for  NMAC.  Assume  toward  a contradiction  that  there  exists  a probabilistic 
polynomial- time  adversary  A attacking  NMAC  that  forges  a valid  tag  on  a 
new  message  with  non-negligible  probability.  Recall  that  A is  given  a MAC 
oracle  which  it  can  query  for  a tag  on  any  messages  of  its  choice.  Let  m* 
denote  the  message  for  which  A produces  its  forgery,  and  let  Q denote  the  set 
of  queries  made  by  A to  its  MAC  oracle  (i.e.,  the  set  of  messages  for  which  it 
obtained  a MAC  tag) . Assume  without  loss  of  generality  that  m*  ^ Q (since 
A cannot  succeed  otherwise).  There  are  two  possible  cases: 

1.  Case  1:  there  exists  a message  m € Q such  that  Hf.^(m*)  = H^^(m). 
In  this  case,  the  MAC  tag  for  m is  equal  to  the  MAC  tag  for  m*  and  so 
clearly  A can  successfully  forge  a valid  tag  on  m* . However,  this  case 
directly  contradicts  the  assumption  that  H is  collision  resistant  because 
A has  found  distinct  m and  m*  for  which  H^^(m*)  = H^^(m).  (By 

Theorem  4.14,  collision  resistance  of  (Gen, A)  implies  collision  resistance 
of  (Gen,  Hk^)  for  any  value  of  k2.) 

2.  Case  2:  for  every  message  m G Q it  holds  that  H^^(m*)  ^ Hf,^(m). 
Define  Q!  ^ {Hf,^(m)  \ m G Q}.  The  important  observation  here  is 
that  m*  is  such  that  H^^(m*)  ^ Q'.  In  this  case,  then,  A is  forging 
a valid  tag  on  the  “new  message”  Hf.^(m*)  with  respect  to  the  fixed- 
length  message  authentication  code  H described  immediately  prior  to 
Theorem  4.18.  This  contradicts  the  assumption  that  H is  a secure  MAC. 

For  a formal  proof  of  the  above,  we  refer  the  reader  to  Theorem  12.5,  where 
an  almost  identical  proof  is  given  in  the  context  of  digital  signature  schemes. 
Tt  is  straightforward  to  translate  that  proof  into  one  that  works  here  as  well. 

Security  assumptions.  We  caution  that  the  assumption  that  (Gen,  h)  gives 
a secure  MAC  is  not  implied  by  the  assumption  that  it  is  collision  resistant. 
Nevertheless,  existing  practical  compression  functions  (like  the  one  used  in 
SHA-1)  are  assumed  to  satisfy  this  additional  requirement. 

The  key  s in  Construction  4.15  does  not  need  to  be  secret  in  order  for 
security  of  NMAC  to  hold.  This  means  that  a system-wide  key  s can  be 
chosen  once- and- for- all  and  used  by  all  parties,  and  indeed  this  is  what  is 
done  in  practice  when  using  an  unkeyed  hash  function  (which  can  be  viewed 
as  a hash  function  using  a fixed  key  s).  ^ 
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The  key  k2  in  Construction  4.15  is  not  needed  once  we  assume  that  (Gen,  h) 
is  collision  resistant.  (That  is,  we  could  have  simply  fixed  k2  =0”  as  in  our 
original  description  of  the  Merkle-Damgard  transform.)  Indeed,  we  did  not 
rely  on  k2  anywhere  in  the  proof  sketch  given  above.  The  reason  for  the 
introduction  of  k2  in  NMAC  is  that  it  allows  a proof  of  security  for  NMAC 
based  on  a potentially  weaker  assumption.  Specifically,  consider  the  following 
modified  definition  of  collision  resistance:  a key  s is  generated  using  Gen  and 
a random  k2  {0, 1}’^  is  also  chosen.  Then  the  adversary  is  allowed  to 
interact  with  a “hash  oracle”  that  returns  H^^(x)  in  response  to  the  query  x. 
(A  variant  would  be  to  also  give  the  adversary  the  non-secret  key  s.)  The 
adversary  succeeds  if  it  can  output  distinct  inputs  x,x'  such  that  H^^{x)  = 

H^{x')^  and  we  say  that  (Gen,iJ)  is  weakly  collision  resistant  if  every  ppt 

A succeeds  in  this  experiment  with  only  negligible  probability.  If  (Gen,  H)  is 
collision  resistant  then  it  is  clearly  weakly  collision  resistant  as  well;  however, 
the  latter  is  a weaker  condition  that  is  potentially  easier  to  satisfy. 

Weak  collision  resistance  suffices  for  proving  that  NMAC  is  a secure  MAC, 
as  can  be  seen  by  careful  examination  of  the  proof  sketch  given  previously. 
Note  also  that  if  s is  a system-wide  parameter  (as  is  essentially  the  case 
when  unkeyed  hash  functions  are  used) , then  a brute-force  attack  that  finds  a 
collision  in  Hfy  for  some  value  of  IV  dons  not  help  in  finding  a collision  in  H 
for  a randomly-chosen  k2 . This  is  doubly  true  if  k2  is  additionally  kept  secret 
— even  if  it  is  possible  to  find  collisions  in  using,  say,  q invocations  of  the 
hash  function  (i.e.,  q = 2”^^  if  the  birthday  attack  is  used),  it  will  be  difficult 
for  an  adversary  to  obtain  q legitimate  tags  from  the  honest  communicating 
parties.  To  make  an  attack  even  more  difficult,  the  adversary  does  not  even 
receive  Hf._^{x)\  rather,  it  receives  hf,^{H^^{x))  that  at  the  very  least  hides 
much  of  i/’|2(a:). 

4.7.2  HMAC 

A disadvantage  of  NMAC  is  that  the  IV  of  the  underlying  hash  function  H 
must  be  modified.  In  practice  this  may  cause  complications  because  the  IV  in, 
say,  SHA-1  is  fixed  by  the  function  specification  and  so  existing  cryptographic 
libraries  do  not  enable  an  external  IV  input.  HMAC  solves  this  problem  by 
keying  the  compression  and  hash  functions  differently.  Another  difference  is 
that  HMAC  uses  a single  secret  key,  rather  than  two  secret  keys. 

Let  H and  /i  be  as  in  the  previous  section.  We  continue  to  assume  that  the 
output  lengths  of  H and  h are  n bits,  and  that  h compresses  its  input  by  half. 
We  let  IV  be  a fixed  value  for  the  initialization  vector,  that  is  assumed  to  be 
outside  the  control  of  the  honest  parties.  We  assume  that  when  x G {0,  1}” 
(i.e.,  x is  only  a single  block),  then  the  computation  of  Hjy{x)  involves  only 
a single  invocation  of  the  compression  function  h^.  This  is  technically  not 
the  case  for  our  description  of  the  Merkle-Damgard  transform  because  we 
always  appended  the  length  as  an  additional  block.  However,  in  practice. 
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when  the  input  is  small  enough,  the  length  is  included  in  the  first  block.  In 
order  to  simplify  these  issues,  when  x is  of  length  n,  we  will  just  ignore  the 
concatenation  of  the  length  and  set  that  H^{IV\\x)  = hjy{x). 


CONSTRUCTION  4.17 

Let  (Gen,  h)  be  a fixed-length  collision-resistant  hash  function,  and  let 
(Ger\,H)  be  the  result  of  applying  the  Merkle-Damgard  transform  to 
(Gen,  h).  Let  IV,  opad,  and  ipad  be  fixed  constants  of  length  n.  HMAC 
defines  a MAC  as  follows: 

• Gen:  on  input  !"■,  run  Gen(l"')  to  obtain  a key  s.  Also  choose 
k •«—  {0, 1}"'  at  random.  Output  the  key  (s,  k). 

• Mac:  on  input  a key  (s,  k)  and  a message  m G {0,  1}*  of  length  L, 
output  the  tag 

t Hjv{ik  © opad)  ||  Hfyi  (k  © ipad)  ||  m)  j . 

• Vrfy:  on  input  a key  (s,k),  a message  m G {0, 1}*,  and  a tag  t, 

output  1 if  and  only  if  t = Macs,fc(m).  [ 

HMAC. 

HMAC  uses  two  constants  opad  and  ipad.  These  are  two  strings  of  length  n 
(i.e.,  the  length  of  a single  block  of  the  input  to  H)  and  are  defined. as  follows: 
opad  consists  of  the  byte  “0x36”  repeated  as  many  times  as  needed;  ipad  is 
■ formed  in  the  same  way  using  the  byte  “0x5C”. 

HMAC  is  given  as  Construction  4.17  and  is  depicted  graphically  in  Fig- 
ure 4.4.  At  first  glance,  it  looks  very  different  from  Construction  4.15.  How- 
ever, it  is  possible  to  view  HMAC  as  a variant  of  NMAC.  To  see  this,  note 
that  the  first  step  in  the  corhputation  of  the  inner  hash  Hfy{{k  © ipad)||m)  is 

to  compute  k2  zi  :=  h^{IV  ||  {k  © ipad)).  We  therefore  have  that 

Hfyiik  © ipad)  II  m)  = H^m). 

Likewise,  the  first  step  in  the  computation  of  the  outer  hash  is  to  compute 
k\  ^ z'l  :=  h^{IV  II  (A:  ©opad)).  Thus: 

Hfy{{k®  opad)  II  77|v^((/c©ipad)  ||  m))  ^ 

Since  H^^{m)  is  only  a single  block  long,  this  in  turn  is  equal  to  {H^^{m)) 
(by  our  above  assumption  on  H^).  Thus,  this  is  exactly  NMAC  using  the  two 
dependent  keys  k\,k2-  (These  keys  are  dependent  since  they  are  derived  in  a 
deterministic  way  from  the  key  k.) 
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A:©ipad  . L = |m| 


FIGURE  4.4:  HMAC. 


Define 


G{k)  = h^  {IV\\  {k  © opad))  ||  h^  {IV\\  {k  © ipad))  = ki \\k2-  (4.4) 

If  G is  a pseudorandom  generator  and  k {0, 1}”  is  chosen  uniformly  at  ran- 
dom, then  the  dependent  keys  ki  and  k2  “look  like”  independent,  uniformly- 
chosen  keys  and  can  be  treated  this  way.  Thus,  if  we  assume  that  G is  a 
pseudorandom  generator  then  the  security  of  HMAC  reduces  to  the  security 
of  NMAC.  We  have  the  following  theorem: 


THEOREM  4.18  Let  (Gen, /i)  satisfy  the  same  conditions  as  in  Theo- 
rem 4-16.  If  G as  defined  in  Equation  (4-4)  is  a pseudorandom  generator, 
then  HMAC  is  existentially  unforgeable  under  an  adaptive  chosen-message 
attack  {for  arbitrary-length  messages) . 


HMAC  in  practice.  HMAC  is  an  industry  standard  and  is  widely  used  in 
practice.  It  is  highly  efficient  and  easy  to  implement,  and  is  supported  by  a 
proof  of  security  (based  on  assumptions  that  are  believed  to  hold  for  prac- 
tical hash  functions  that  are  considered  collision  resistant).  The  importance 
of  HMAC  is  partially  due  to  the  timeliness  of  its  appearance.  Before  the 
introduction  of  HMAC,  many  practitioners  refused  to  use  CBC-MAC  (with 
the  claim  that  it  was  “too  slow” ) and  instead  used  heuristic  constructions  of 
message  authentication  codes  that  were  often  insecure.  For  example,  a com- 
mon mistake  was  to  define  a MAC  as  iJ®(A:||a:)  (where  A:  is  a secret  key).  It  is 
not  difficult  to  show  that  when  H is  constructed  using  the  Merkle-Damgard 
transform,  this  is  not  a secure  MAC  at  all. 
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4.8  * Constructing  CCA-Secure  Encryption  Schemes 

In  Section  3.7,  we  introduced  the  notion  of  CCA  security  for  private-key 
encryption  schemes.  (We  will  not  review  the  definition  here,  so  the  reader  is 
encouraged  to  re-read  that  section  before  continuing.)  In  this  section  we  will 
use  message  authentication  codes,  along  with  CPA-secure  encryption  schemes, 
to  construct  private-key  encryption  schemes  meeting  that  notion  of  security. 

Constructing  CCA-secure  encryption  schemes.  The  construction  works 
in  the  following  way.  The  sender  and  receiver  share  two  keys,  one  for  a CPA- 
secure  encryption  scheme  and  the  other  for  a message  authentication  code. 
To  encrypt  a message  m,  the  sender  first  encrypts  it  using  the  CPA-secure 
scheme  and  then  computes  a MAC  tag  t on  the  resulting  ciphertext  c;  the 
entire  ciphertext  is  now  (c,  t).  Given  a ciphertext  (c,  t),  the  recipient  verifies 
validity  of  the  MAC  tag  before  decrypting  c. 

Let  us  say  a ciphertext  (c,  t)  is  valid  if  t is  a valid  MAC  tag  on  c.  The  effect 
of  this  construction  is  that  an  adversary  will  be  unable  to  generate  any  valid 
ciphertext  that  was  not  sent  by  one  of  the  honest  parties.  (Technically  speak- 
ing, we  need  an  extra  condition  on  the  MAC;  this,  however,  is  the  intuition.) 
This  has  the  effect  of  rendering  the  decryption  oracle  useless,  as  we  will  see 
in  the  formal  proof  of  security. 


CONSTRUCTION  4.19 

Let  IIb  = (GeriB,  Enc,  Dec)  be  a private-key  encryption  scherne  and  let 
IIm  = (GeriM,  Mac,  Vrfy)  be  a message  authentication  code.  Define  an 
encryption  scheme  (Gen',  Enc',  Dec')  as  follows: 

• Gen':  On  input  1^,  run  Gen£;(l^)  and  GenM(l'^)  to  obtain  keys 
A:i,/c2,  respectively. 

• Enc':  on  input  a key  {k\,k2)  and  a plaintext  message  m,  compute 
c •<—  Encfcj^(m)  and  t •<—  Macfc2(c)  and  output  the  ciphertext  (c,  t) 

• Dec':  on  input  a key  {k\,k2)  and  a ciphertext  first  check 

whether  (c,  t)  = 1-  If  yes,  then  output  Decfcj^(c);  if  no,  then 

output  _L. 

A CCA-secure  private-key  encryption  scheme. 

In  Construction  4.19,  we  extend  the  syntax  of  a private- key  encryption 
scheme  so  as  to  allow  the  decryption  algorithm  Dec^  to  output  the  special 
symbol  J.  indicating  “failure” . Correctness  implies  that  no  ciphertext  output 
by  Enc^  results  in  the  decryption  algorithm  outputting  _L.. 

Before  proving  security  of  this  construction,  we  introduce  an  additional 
requirement  on  the  MAC  scheme.  Say  (Genjvf?  Mac,  Vrfy)  has  unique  tags  if 
for  every  k and  every  m there  is  a unique  value  t such  that  Vrfy;^(m,  t)  = 1. 
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(This  implies  that  Mac  is  deterministic,  or  might  as  well  be.)  The  requirement 
of  unique  tags  is  not  hard  to  achieve;  in  fact,  the  variable-length  MAC  of 
Construction  4.5  is  the  only  construction  we  have  seen  that  does  not  satisfy 
this  property. 

THEOREM  4.20  If  fl^;  is  a CPA-secure  private-key  encryption  scheme 
and  Rm  is  a secure  message  authentication  code  with  unique  tags,  then  Con- 
struction 4-19  is  a CCA-secure  private-key  encryption  scheme. 

PROOF  The  idea  behind  the  proof  of  this  theorem  is  as  follows.  As  defined 
earlier,  say  a ciphertext  (c,t)  is  valid  (with  respect  to  secret  key  (ki,k2))  if 
Vrfy^^(c,t)  = 1.  The  adversary’s  queries  to  its  decryption  oracle  are  of  two 
types:  ciphertexts  that  the  adversary  received  from  its  encryption  oracle, 
and  those  that  it  did  not.  The  first  type  of  decryption  query  is  not  very 
useful,  since  the  adversary  already  knows  the  message  corresponding  to  the 
ciphertext.  (Specifically,  if  the  adversary  received  (c,  t)  in  response  to  an 
encryption  oracle  query  for  the  message  m,  then  the  adversary  knows  that 
the  decryption  of  (c,  t)  is  m.)  As  for  ciphertexts  of  the  second  type,  since 
IIm  is  a secure  message  authentication  code  we  can  argue  that  (except  with 
negligible  probability)  all  such  ciphertexts  will  be  invalid  and  so  the  decryption 
oracle  will  simply  return  T in  this  case.  Thus„  the  second  type  of  query  is 
not  useful  either.  Since  the  decryption  oracle  is  essentially  useless,  security 
of  n'  = (Gen',  Enc',  Dec')  is  reduced  to  the  CPA-security  of  Il£;.  We  now  give 
the  formal  proof. 

Let  A be  a probabilistic  polynomial-time  adversary  attacking  Construc- 
tion 4.19  in  a chosen-ciphertext  attack  (cf.  Definition  3.30).  Let  ValidQuery 
be  the  event  that  A submits  a query  (c,  t)  to  its  decryption  oracle  that  was  not 
previously  obtained  frohi  its 'encryption  draqle  Tut' for  which  Vffy^tcO  ~ 1- 
We  have 

Pr[PrivK^fn'(^)  = 1] 

< Pr[ValidQuery]  -|- Pr[PrivK^^n/ (n)  = 1 A ValidQuery].  (4.5) 

We  will  show  that  Pr[ValidQuery]  is  negligible,  and  that  there  exists  a negligi- 
ble function  negl  such  that  Pr[PrivK^^j3,  (n)  = 1 A ValidQuery]  < ^ + negl(n). 
This  proves  the  theorem, 

CLAIM  4.21  Pr[ValidQuery]  is  negligible. 

Intuitively,  this  is  due  to  the  fact  that  if  ValidQuery  occurs  then  the  ad- 
versary has  forged  a valid  tag  t on  a new  “message”  c.  Formally,  let  q{-) 
be  a polynomial  that  upper-bounds  the  number  of  decryption  oracle  queries 
made  by  A,  and  consider  the  following  adversary  Am  attacking  the  message 
authentication  code  IIm  (he.,  running  in  experiment  Mac-forge^^  (n)) : 
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Adversary  Am- 

Am  is  given  input  1”  and  has  access  to  an  oracle  MaCfc2(-). 

1.  Choose  ki  ■«—  {0, 1}”  uniformly  at  random. 

2.  Choose  i -f—  {1, . . . , q(n)}  uniformly  at  random. 

3.  Run  A on  input  1”.  When  A makes  an  encryption  oracle 
query  for  the  message  m,  answer  it  as  follows: 

(i)  Compute  c ■«—  Encfc^  (m). 

(ii)  Query  c to  the  MAC  oracle  and  receive  t in  response. 
Return  (c,  t)  to  A. 

The  challenge  ciphertext  is  prepared  in  the  exact  same  way 
(with  a random  bit  h ■«—  {0, 1}  being  chosen  to  select  the 
message  mb  that  gets  encrypted). 

When  A makes  a decryption  oracle  query  for  the  ciphertext 
(c,  t),  answer  it  as  follows: 

(i)  If  (c,  t)  was  a response  to  a previous  encryption  oracle 
query  for  a message  m,  return  m. 

(ii)  If  this  is  the  ith  decryption  oracle  query  using  a “new” 
value  of  c,  output  (c,  t)  and  stop. 

(iii)  Otherwise,  return  ±. 

In  essence,  Am  is  “hoping”  that  the  Rh  decryption  oracle  query  of  A will 
be  the  first  query  of  the  second  type  to  be  valid,  in  which  case  Am  outputs 
a valid  forgery  on  a message  c that  it  had  never  previously  submitted  to  its 
MAC  oracle. 

Clearly  Am  runs  in  probabilistic  polynomial-time.  We  now  analyze  the 
probability,  that  Am  generates  a good  forgery  and  so  succeeds  in  experiment 
Mac-forge_4^  (n).  The  key  point  is  that  the  view  of  A when  run  as  a 
subroutine  by  Am  is  distributed  identically  to  the  view  of  A in  experiment 
PrivKXn'  (n),  until  event  ValidQuery  occurs.  To  see  this,  note  that  the  encryp- 
tion oracle  queries  of  A (as  well  as  computation  of  the  challenge  ciphertext) 
are  simulated  perfectly  by  Am-  As  for  the  decryption  oracle  queries  of  A, 
until  ValidQuery  occurs  these  are  all  simulated  properly:  in  case  (i)  this  is 
obvious;  in  cases  (ii)  or  (iii),  if  ValidQuery  has  not  occurred  then  the  correct 
answer  to  the  decryption  oracle  query  is  indeed  _L.  We  conclude  that  the 
probability  of  event  ValidQuery  in  experiment  Mac-forge^^  (n)  is  the  same 
as  the  probability  of  this  event  in  experiment  PrivK^^nz(n). 

If  Am  correctly  guesses  the  index  i representing  the  decryption  query  when 
ValidQuery  first  occurs,  then  Am  succeeds  in  experiment  Mac-forge^^  jj^(n). 
The  probability  that  Am  correctly  guesses  i is  l/q{n).  That  is, 

Pr[Mac-forge^^  iIm  (^)  = 1]  > Pr[ValidQuery]/^(n). 

Since  IIm  is  a secure  MAC  and  q is  polynomial,  we  conclude  that  Pr[ValidQuery] 
^is  negligible.  This  completes  the  proof  of  Claim  4.21. 
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CLAIM  4.22  There  exists  a negligible  function  negl  such  that 
Pr[PrivK^jj/ (n)  = 1 A ValidQuery]  < - + negl(n). 

We  now  use  the  CPA-security  of  Let  .4.  be  as  before,  and  consider  the 
following  adversary  Ae  attacking  in  a chosen -plain text  attack: 

Adversary  Ae- 

Ae  is  given  input  1”  and  has  access  to  an  oracle  Encfc^(-). 

1.  Choose  k2  ■«—  {0, 1}”  uniformly  at  random. 

2.  Run  A on  input  1”.  When  A makes  an  encryption  oracle 
query  for  the  message  m,  answer  it  as  follows: 

(i)  Query  m to  the  encryption  oracle  and  receive  c in  re- 
sponse. 

(ii)  Compute  t M 30^3(0),  and  return  (c,  t)  to  A. 

When  A makes  a decryption  oracle  query  for  the  ciphertext 
(c,  t),  answer  it  as  follows: 

(i)  Xf  (c,  t)  was  a response  to  a previous  encryption  oracle 
query  for  a message  m,  return  m.  Otherwise,  return  _L. 

3.  When  A outputs  messages  (mo,  mi),  output  these  same  mes- 
sages and  receive  a challenge  ciphertext  c in  response.  Com- 
pute t ■«—  Macfc2(c),  and  return  (c,  t)  as  the  challenge  cipher- 
text  for  A.  Continue  answering  A’s  oracle  queries  as  above. 

4.  Output  the  same  bit  h'  that  is  output  by  A. 

Notice  that  Ae  does  not  need  a decryption  oracle  because  it  simply  assumes 
that  any  decryption  query  by  A that  uses  a “new”  ciphertext  (c,  t)  is  invalid. 

Clearly,  Ae  runs  in  probabilistic  polynomial  time.  Ihirthermore,  the  view 
of  A when  run  as  a subroutine  hy  Ae  is  distributed  identically  to  the  view 
of  A in  experiment  PdvK^\£/(n)  as  long  as  event  ValidQuery  never  occurs. 
(This  is  because  if  ValidQuery  never  occurs,  then  the  correct  response  to  any 
decryption  query  by  A that  uses  a new  value  of  c is  indeed  _L.)  Therefore,  the 
probability  that  Ae  succeeds  when  ValidQuery  does  not  occur  is  the  same  as 
the  probability  that  A succeeds  when  ValidQuery  does  not  occur;  i.e., 

Pr[PrivK^^  u^{n)  = 1 A ValidQuery]  = Pr[PrivK^^n/ (n)  = 1 A ValidQuery], 

implying  that 

Pr[PrivK^J  = 1]  > P^iPrivKjJ  H = 1 A ValidQuery] 

= Pr[PrivK^^n/ (n)  = 1 A ValidQuery]. 

Since  He  is  CPA- secure,  there  exists  a negligible  function  negl  such  that 
Pr[PrivK'^^=,  = 1]  < I + negl(n),  implying  Claim  4.22.  The  theorem 

is  derived  by  combining  Claims  4.21  and  4.22  with  Equation  (4.5).  I 
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The  role  of  unique  tags.  If  the  MAC  scheme  IIm  does  not  have  unique 
tags,  then  Construction  4.19  may  not  be  CCA-secure.  Specifically,  it  may  be 
easy  to  modify  a valid  tag  t on  a value  c into  a different  (but  still  valid)  tag  t' 
on  the  same  value.  If  the  challenge  ciphertext  is  (c,t),  then  an  adversary  can 
query  {c,t')  to  its  decryption  oracle  and  thus  potentially  learn  the  plaintext 
message  mb- 

A weaker  condition  than  the  unique  tags  property  suffices  for  the  proof  of 
the  previous  theorem:  it  suffices  that  an  adversary  cannot  find  a different 
valid  tag  t'  on  a previously-authenticated  message  m (though  different  tags 
may  exist).  Secure  message  authentication  codes  with  this  property  are  said 
to  be  strongly-secure.  In  any  case,  there  exist  numerous  efficient  MACs  that 
have  unique  tags,  so  requiring  it  is  not  much  of  .a  restriction. 

CCA-security  and  real-life  implications.  Construction  4.19  may  seem 
unsatisfying,  since  it  achieves  CCA-security  simply  by  ensuring  that  the  de- 
cryption oracle  is  useless  to  the  adversary.  Instead  of  being  viewed  as  a draw- 
back of  the  construction,  this  should  be  viewed  as  an  advantage!  Specifically, 
although  there  are  other  ways  to  achieve  CCA-security  (see  Exercise  3.14  for 
an  example),  here  the  adversary  is  unable  to  generate  any  valid  ciphertext 
that  was  not  already  created  by  one  of  the  honest  parties.  As  we  will  see  in 
the  next  section,  this  means  that  Construction  4.19  achieves  both  privacy  and 
message  authentication. 


4.9  * Obtaining  Privacy  and  Message  Authentication 

In  Chapter  3,  we  studied  how  it  is  possible  to  encrypt  messages  and  thereby 
obtain  privacy.  In  this  chapter,  we  have  shown  how  message  authentication 
codes  can  be  used  to  guarantee  data  authenticity  or  integrity.  Often,  however, 
we  need  both  privacy  and  message  integrity.  It  may  be  tempting  to  think 
that  any  combination  of  a secure  encryption  scheme  and  a secure  message 
authentication  code  should  provide  both  of  these  properties.  Unfortunately, 
this  is  not  at  all  the  case.  In  general,  even  excellent  cryptographic  tools  can 
be  combined  in  such  a way  that  the  result  is  insecure.  Thus,  unless  a specific 
combination  has  been  proven  secure,  one  should  exercise  care  in  using  it. 

There  are  three  common  approaches  to  combining  encryption  and  message 
authentication.  Let  k\  denote  an  encryption  key,  and  let  k2  be  a MAC  key.® 


9a  common  mistake  is  to  use  the  same  key  for  both  encryption  and  authentication.  This 
should  never  be  done,  as  independent  keys  should  always  be  used  for  independent  appli- 
cations (unless  a specific  proof  of  security  when  using  the  same  key  is  known).  Further 

discussion  of  this  point  is  given  at  the  end  of  this  section. 

* 
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The  three  approaches  are: 

1.  Encrypt- and-authenticate:  In  this  method,  encryption  and  message  au- 
thentication are  computed  independently.  That  is,  given  a plaintext 
message  m,  the  sender  transmits  (c,  t)  where: 

c«— EncA;i(m)  and  t^MaCfc2(m). 

The  receiver  decrypts  c to  recover  m,  and  then  verifies  the  tag  t.  If 
Vrfyfca  {m,t)  = I3  ffie  receiver  outputs  m;  otherwise,  it  outputs  _L. 

2.  Authenticate-then- encrypt:  Here  a MAC  tag  t is  first  computed,  and 
then  the  message  and  tag  are  encrypted  together.  That  is,  the  sender 
transmits  c computed  as: 

t ■«—  Macfc2(m)  and  c ^ Encfcj^  (m||i). 

The  authentication  tag  t is  not  sent  “in  the  clear”,  but  is  instead  in- 
corporated into  the  plaintext  that  is  encrypted.  The  receiver  decrypts 
c,  and  then  verifies  the  tag  t on  m.  As  before,  if  Vrfy^^.^  (m,  t)  = 1 the 
receiver  outputs  m;  otherwise,  it  outputs  ±. 

3.  Encrypt-then-authenticate:  In  this  case,  the  message  m is  first  encrypted 
and  then  a MAC  tag  is  computed  over  the  encrypted  message.  That  is, 
the  message  is  the  pair  (c,  t)  where: 

c<— Encfcj(m)  and  t Macfc2(c). 

The  receiver  verifies  t before  decrypting  c.  Observe  that  this  is  exactly 
Construction  4.19  from  the  previous  section. 

In  this  section  we  analyze  each  of  the  above  approaches  when  instantiated 
using  an  arbitrary  CPA-secure  encryption  scheme  and  an  arbitrary  secure 
MAC  (with  unique  tags).  Our  analysis  will  follow  an  all  or  nothing  approach: 
that  is,  we  will  only  be  satisfied  with  a combination  that  provides  both  priyacy 
and  integrity  when  using  any  CPA-secure  encryption  scheme  and  any,  secure 
message  authentication  code.  In  other  words,  we  will  reject  any  combination 
for  which  there  exists  even  a single  counterexample  of  a secure  encryption 
scheme/MAC  for  which  the  combination  is  insecure.  As  an  example,  we  will 
reject  the  “encrypt-and-authenticate”  approach  as  being  insecure.  This  does 
not  mean  that  for  every  secure  encryption  scheme  and  MAC  the  “encrypt-and- 
authenticate”  approach  results  in  an  insecure  scheme.  Rather  it  means  that 
there  exists  a secure  encryption  scheme  and  a MAC  for  which  the  combination 
is  insecure. 

The  reason  we  insist  on  an  “all  or  nothing”  approach  is  that  this  reduces  the 
likelihood  of  errors  in  implementation.  This  is  due  to  the  fact  that  it  should 
be  possible  to  replace  any  secure  encryption  scheme  with  another  one  (and 
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likewise  for  the  MAC)  without  affecting  the  security  of  applications  that  use 
the  scheme.  Such  replacements  are  common  in  practice  when  cryptographic 
libraries  are  updated,  or  when  standards  are  modified. 

Privacy  only  vs.  privacy  and  message  integrity.  Most  online  tasks,  and 
clearly  any  online  purchase  or  bank  transaction,  needs  to  be  both  encrypted 
and  authenticated.  In  general,  however,  it  is  not  always  clear  when  authenti- 
cation is  needed  in  addition  to  secrecy.  For  example,  when  encrypting  files  on 
a disk,  is  it  necessary  to  also  authenticate  them?  At  first  sight,  one  may  think 
that  since  disk  encryption  is  used  to  prevent  an  attacker  from  reading  secret 
files,  there  is  no  need  for  authentication.  However,  it  may  be  possible  for  an 
adversary  to  inflict  significant  damage  if  financial  reports  and  so  on  are  mod- 
ified (e.g.,  thereby  causing  a company  to  mistakenly  publish  false  reports). 
It  is  best  practice  to  always  encrypt  and  authenticate  by  default  encryption 
alone  should  not  be  used  unless  there  are  compelling  reasons  to  do  so  (such 
as  implementations  on  severely  resource-constrained  devices)  and,  even  then, 
only  if  one  is  absolutely  sure  that  no  damage  can  be  caused  by  undetected 
modification  of  the  data.  Note  that  lack  of  integrity  can  sometimes  lead  to  a 
breach  of  privacy,  as  we  have  seen  for  the  case  of  chosen-ciphertext  attacks. 

Security  requirements.  In  order  to  analyze  which  of  the  combinations  of 
encryption  and  authentication  are  secure,  we  must  first  define  what  we  mean 
by  a “secure  combination” . The  best  approach  for  this  is  to  model  in  general 
what  we  mean  by  a secure  communication  channel  and  then  prove  that  a 
given  combination  meets  this  definition.  Unfortunately,  providing  a formal 
definition  of  a secure  channel  is  beyond  the  scope  of  this  book.  We  therefore 
provide  a more  “naive”  definition  that  simply  incorporates  notions  of  privacy 
and  message  integrity  separately.  This  definition  and  the  resulting  analysis 
suffice  for  understanding  the  key  issues  at  hand. 

Let  n^;  = (Gen e,  Enc,  Dec)  be  an  arbitrary  encryption  scheme  and  let  Hm  = 
(GenM,  Mac,Vrfy)  be  a message  authentication  code.  A message  transmission 
scheme  H'  = (Gen^,EncMac^Dec^)  derived  as  a combination  of  II^  and  Hm 
is  a tuple  of  algorithms  that  operate  as  follows: 

• The  key -generation  algorithm  Gen^  takes  input  1”,  and  runs  Gen£;(l”) 
and  Gen7\^(l”)  to  obtain  keys  k\  and  /C2,  respectively.  The  key  is  (ki,k2)- 

• The  message  transmission  algorithm  EncMac^  takes  as  input  the  keys 
{k\,k2)  and  a message  m and  outputs  a value  c that  is  derived  by  ap- 
plying some  combination  of  Encfc^(-)  and  MaCfc2(-). 

• The  decryption  algorithm  Dec^  takes  as  input  the  keys  {ki-,k2)  and 
a transmitted  value  c,  and  applies  some  combination  of  Deck^(-)  and 
Vrfy^2(‘)-  The  output  of  Dec^  is  either  a plaintext  m or  a special  sym- 
bol _L  that  indicates  an  error. 
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The  correctness  requirement  is  that  for  every  n,  every  pair  of  keys  ik\,k2) 
output  by  Gen'(l”),  and  every  value  m G {0, 1}*, 

;t^(EncMac;^^  = m. 

n'  actually  satisfies  the  syntax  of  a private-key  encryption  scheme.  We  refer 
to  it  as  a “message  transmission  scheme”  only  because  when  we  define  security 
we  will  require  message  integrity  in  addition  to  privacy. 

As  we  have  mentioned,  we  will  define  security  for  a message  transmission 
scheme  II'  by  defining  separate  notions  of  privacy  and  authenticity.  The  no- 
tion of  privacy  we  consider  is  one  we  have  seen  before:  that  II'  (now  viewed 
as  an  encryption  scheme)  be  CCA-secure.  (Looking  ahead,  this  will  have  the 
effect  of  “boosting”  the  privacy  requirement,  because  we  will  start  with  an 
encryption  scheme  II^;  that  is  only  CPA-secure.)  Our  notion  of  message  in- 
tegrity will  be  essentially  that  of  existential  unforgeability  under  an  adaptive 
chosen- message  attack.  Since  II'  does  not  satisfy  the  syntactic  requirements 
of  a message  authentication  code,  however,  we  introduce  a definition  specific 
to  this  case.  Consider  the  following  experiment  defined  for  a message  trans- 
mission scheme  II',  adversary  A,  and  value  n for  the  security  parameter: 

The  secure  message  transmission  experiment  Auth^  n'(^): 

1.  A random  key  k = (ki,k2)  is  generated  by  running  Gen'(l”). 

2.  The  adversary  A is  given  input  I”  and  oracle  access  to  the 
message  transmission  algorithm  EncMac^(-).  The  adversary 
eventually  outputs  c.  Let  Q denote  the  set  of  all  queries  that 
A asked  to  its  oracle. 

3.  Let  m :=  DeCfc(c).  The  .output,  of  the  experiment  is  defined  to 
be  1 if  and  only  if  (1)  m and  (2)  m ^ Q. 


DEFINITION  4.23  A message  transmission  scheme  II'  achieves  authen- 
ticated communication  if  for  all  probabilistic  polynomial-time  adversaries  A, 
there  exists  a negligible  function  negl  such  that: 

Pr[Auth^,n(y^)  = 1]  < negl(n). 

Comparing  the  above  experiment  to  the  message  authentication  experiment 
immediately  preceding  Definition  4.2,  we  see  that  the  adversary’s  job  is  some- 
what easier  here,  since  the  adversary  does  not  need  to  know  the  message  m to 
which  its  output  c corresponds.  This  means  that  constructions  satisfying  the 
above  definition  are  (in  some  sense)  more  secure  than  constructions  satisfying 
only  Definition  4.2. 

With  the  above  in  place,  we  can  now  define  a secure  message  transmission 
scheme. 
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DEFINITION  4.24  A message  transmission  scheme  (Gen',  EncMac',  Dec') 
is  secure  if  it  is  both  a CCA-secure  encryption  scheme  and  also  achieves  au- 
thenticated communication. 

We  now  analyze  the  three  approaches  discussed  previously  for  combining 
encryption  and  authentication. 

Encrypt-and-authenticate.  As  we  have  described,  in  this  approach  encryp- 
tion and  message  authentication  are  computed  separately.  Given  a message 
m,  the  transmitted  value  is  (c,  t)  where 

c Encfci(m)  and  t ^ Mack^ina). 

This  combination  is  not  (necessarily)  secure,  since  it  may  violate  privacy.  To 
see  this,  note  that  a secure  MAC  does  not  necessarily  imply  any  privacy  and, 
specifically,  it  is  possible  for  the  tag  of  a message  to  leak  the  entire  message. 
(In  particular,  if  (GetiM,  Mac,Vrfy)  is  a secure  message  authentication  code, 
then  so  is  the  scheme  defined  by  MaCfc(m)  = (m,  Macfc(m)).)  So  the  encrypt- 
and-authenticate  combination  may  yield  a scheme  that  does  not  even  have 
indistinguishable  encryptions  in  the  presence  of  an  eavesdropper,  the  most 
basic  level  of  privacy. 

The  above  may  seem  to  be  an  unnatural  counterexample,  but  is  enough 
because  our  requirements  were  that  security  should  hold  for  any  secure  in- 
stantiation of  the  underlying  building  blocks.  In  any  case,  it  is  not  hard  to 
see  that  the  encrypt-and-authenticate  combination  is  not  secure  even  when 
natural  MACs  are  used  (for  any  choice  of  underlying  encryption  scheme).  In 
Exercise  4.19  you  are  asked  to,  show  that,  e.g.,  if  CBC-MAC  is  used  as  IIm 
then  security  against  chosen-plaintext  attacks  does  not  hold. 

Authenticate-then-encrypt.  Here,  a MAC  tag  t Macfc2(^)  com- 

puted; then  m\\t  is  encrypted,  and  the  resulting  value  Enc^^  (m||MaCfc2  (^))  is 
transmitted.  We  show  that  this  combination  is  also  not  necessarily  secure. 
We  use  the  following  encryption  scheme: 

• Let  Transform (m)  be  as  follows:  any  0 in  m is  transformed  to  00,  and 
any  1 in  m is  transformed  arbitrarily  to  01  or  10.^°  The  inverse  of  this 
transform  parses  the  encoded  message  as  pairs  of  bits,  and  then  maps 
00  to  0,  and  01  or  10  to  1.  If  .a  11  is  encountered,  the  result  is  ±.  (That 
is,  Transform~^(01 10)  = 11  but  Transform”^ (01 11)  = _L.) 

• Define  Encfc(m)  = EnCfc(Transform(m)),  where  Enc'  represents  counter 
mode  encryption  using  a pseudorandom  function.  (The  important  point 
is  that  Enc'  works  by  generating  a new  pseudorandom  stream  for  each 


course,  this  encoding  is  contrived.  However,  encodings  of  inputs  are  often  used  and  it 
would  certainly  be  undesirable  if  the  security  of  a cryptographic  scheme  depended  on  which 
encoding  were  used. 
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message  to  encrypt,  and  then  XORing  the  stream  with  the  message.) 

Note  that  Enc  is  CPA-secure. 

We  show  that  the  authenticate-then-encrypt  combination  of  the  above  encryp- 
tion scheme  with  any  MAC  is  not  secure  against  a chosen-ciphertext  attack. 
The  attack  we  show  works  as  long  as  an  adversary  can  find  out  if  a given 
ciphertext  is  valid,  even  if  it  cannot  obtain  the  entire  decryption  of  the  ci- 
phertext. Thus,  the  attack  may  be  easy  to  carry  out,  as  all  an  adversary 
needs  to  do  is  forward  a ciphertext  to  one  of  the  parties  and  observe  whether 
their  reaction  is  consistent  with  an  invalid  ciphertext  (e.g.,  if  the  party  re- 
quests re-transmission)  or  not. 

Consider  the  following  chosen-ciphertext  attack:  Given  a challenge  cipher- 
text  c = EnCfc^  (Transform(m|| Macfc2 (^))),  the  attacker  simply  flips  the  first 
two  bits  of  the  second  block  of  c (recall  that  the  first  block  of  c is  an  ini- 
tial counter  value  ctr)  and  verifies  whether  the  resulting  ciphertext  is  valid. 
(This  can  be  determined  via  a query  to  the  decryption  oracle.  The  adversary 
only  needs  to  know  if  the  ciphertext  is  valid,  however,  and  so  a weaker  oracle 
would  also  suffice.)  If  the  first  bit  of  the  underlying  message  m is  1,  then  the 
modified  ciphertext  will  be  valid.  This  is  because  if  the  first  bit  of  m is  1, 
then  the  first  two  bits  of  Transform (m)  are  01  or  10,  and  flipping  these  bits 
yields  another  valid  encoding  of  m.  (Our  choice  of  Enc^  ensures  that  flipping 
the  first  two  bits  of  the  ciphertext  has  the  effect  of  flipping  the  first  two  bits 
of  the  encoded  message.)  Furthermore,  the  tag  will  still  be  valid  since  it  is 
applied  to  m and  not  the  encoding  of  m.  On  the  other  hand,  if  the  first  bit  of 
m is  0 then  the  modified  ciphertext  will  not  be  valid  since  the  first  two  bits 
of  Transform (m)  would  be  00  and  their  complement  would  be  11. 

This  attack  can  be  carried  out  on  each  bit  of  m separately,  resulting  in 
complete  recovery  of  the  message  m. 

This  counterexample  demonstrates  that  the  authenticate-then-encrypt  com- 
bination is  not,  in  general,  secure.  However,  some  specific  instantiations  of  this 
approach  are  secure;  an  example  is  the  specific  combination  used  within  SSL. 
Nevertheless,  as  mentioned  previously,  it  is  bad  practice  to  use  a methodology 
whose  security  depends  on  specific  implementations. 

Encrypt-then-authenticate.  In  this  approach,  the  message  is  first  en- 
crypted and  then  a MAC  is  computed  over  the  ciphertext.  That  is,  the 
message  is  the  pair  (c,  t)  where 

c ^ Encfe,,  (m)  and  t ■«—  Macfc2(c). 

Decryption  is  done  as  in  Construction  4.19.  We  have  the  following  theorem: 


THEOREM  4.25  Let  He  he  a CPA-secure  private-key  encryption  scheme, 
and  let  YIm  he  a secure  message  authentication  code  with  unique  tags.  Then 
the  comhination  (Gen^,  EncMac^,  Dec^)  derived  hy  applying  the  encrypt-then- 
authenticate  approach  to  He,Y1m  is  a secure  message  transmission  scheme. 
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We  have  already  proved  that  the  above  combination  is  CCA-secure  in  Theo- 
rem 4.20,  and  leave  as  an  exercise  the  proof  that  it  also  provides  authenticated 
communication. 

Secure  message  transmission  vs.  CCA-security.  Although  we  use  the 
same  construction  for  achieving  CCA-security  and  secure  message  transmis- 
sion, the  security  goals  in  each  case  are  different.  In  the  setting  of  CCA- 
security  we  are  not  necessarily  interested  in  obtaining  message  authentica- 
tion; rather,  we  wish  to  ensure  privacy  even  against  a strong  adversary  who 
is  able  to  make  decryption  queries.  When  considering  secure  message  trans- 
mission, in  contrast,  we  are  interested  in  the  twin  goals  of  CCA-security  and 
integrity.  Clearly,  as  we  have  defined  it,  secure  message  transmission  implies 
CCA-security.  The  opposite  direction  is  not  necessarily  true. 

The  need  for  independent  keys.  We  conclude  by  stressing  a basic  prin- 
ciple of  security  and  cryptography:  different  security  goals  should  always  use 
different  keys.  That  is,  if  an  encryption  scheme  and  a message  authentication 
code  are  both  needed,  then  independent  keys  should  be  used  for  each  one.  In 
order  to  illustrate  this  here,  consider  what  can  happen  to  the  encrypt-then- 
authenticate  methodology  when  the  same  key  k is  used  for  both  encryption 
and  authentication.  Let  F be  a strong  pseudorandom  permutation.  It  fol- 
lows that  both  F and  F~^  are  strong  pseudorandom  permutations.  Define 
Encfc(m)  = Fk{m\\r)  for  m G {0, 1}^/^  and  a random  r ■«—  {0, 1}”/^,  and  define 
Macfc(c)  = Fj^^{c).  It  can  be  shown  that  the  given  encryption  scheme  is  CPA- 
secure  (in  fact,  it  is  even  CCA-secure),  and  we  know  that  the  given  message 
authentication  code  is  a secure  MAC.  However,  the  encrypt-then-authenticate 
combination  applied  to  the  message  m with  the  same  key  k yields: 

Encfc(m),  MaCfc(EnCfc(m))  = Pfc(^lk),  (Ffc(m||r))  = Fk{m\\r)\m\\r, 
and  the  message  m is  revealed  in  the  clear! 
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pseudorandom  functions  for  message  authentication  (aS  in  Construction  4.3) 
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a fixed-length  MAC  to  a variable-length  MAC  is  due  to  Goldreich  [65].  An 
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at  the  “Hash  Function  Lounge”  [7]. 

The  method  of  encrypting  and  then  applying  a MAC  in  order  to  achieve 
CCA-security  was  described  by  Dolev  et  al.  [50].  Bellare  and  Namprempre 
[13]  and  Krawczyk  [90]  analyze  different  methods  for  simultaneously  achieving 
privacy  and  authentication,  and  Krawczyk  also  analyzes  the  authenticate- 
then-en crypt  approach  used  within  SSL.  Other  notions  of  secure  encryption 
that  incorporate  integrity  are  discussed  in  [85,  13].  A solution  to  Exercise  4.5 
is  given  in  [11].  . . 


Exercises  > 

4.1  Say  n = (Gen,  Mac,Vrfy)  is  a secure  MAC,  and  for  k G {0, 1}”  the  tag- 
generation  algorithm  Macfc  always  outputs  tags  of  length  t{n).  Prove 
that  t must  be  super- logarithmic  or,  equivalently,  that  if  t{n)  ■—  (9 (log  n) 
then  n cannot  be  a secure  MAC. 

Hint:  Consider  the  probability  of  randomly  guessing  a valid  tag.  . 

4.2  Consider  the  following  fixed-length  MAC  for  messages  of  length  i{n)  = 
2n  — 2 using  a pseudorandom  function  F:  On  input  a message  mo|[mi 
(with  |mo|  = |mi|  = n — 1)  and  key  k G {0, 1}”,  algorithm  Mac  outputs 
t = Ffc(0||7no)||Ffc(l|lmi).  Algorithm  Vrfy  is  defined  in  the  natural  way. 
Is  (Gen,  Mac,  Vrfy)  existentially  unforgeable  under  a chosen- message  at- 
tack? Prove  your  answer. 

4.3  Let  E be  a pseudorandom  function.  Show  that  the  following  MAC 
for  messages  of  length  2n  is  insecure:  The  shared  key  is  a random 
k G {0, 1}”.  To  authenticate  a message  mi\\m2  with  |mi|  = \m2\  = n, 
compute  the  tag  (Efc(mi),  Ffc(Ffc(m2))). 
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4.4  Let  be  a pseudorandom  function.  Show  that  each  of  the  following 
message  authentication  codes  is  insecure.  (In  each  case  the  shared  key 
is  a random  k € {0, 1}”^-) 

(a)  To  authenticate  a message  m = mi  ||  • • • ||m^,  where  € {0, 1}”^, 
compute  t ;=  Fk{mi)  0 • • • 0 Fk{m£). 

(b)  To  authenticate  a message  m = mi||  • • • \\m£,  where  rrii  € {0, 1}”^, 
choose  r {0,1}”^  at  random,  compute  t :=  Fk{r)  © Ffc(mi)  0 
- • • 0 Fk{m£),  and  send  (r,  t). 

(c)  To  authenticate  a message  m = miH  • • • Ijm^,  where  rrii  G {0, 1}”^'^^, 
choose  r {0,1}”^  at  random,  compute 

t :=  Ffc(r)  0 FA:((l)||mi)  © • • • © Ffc((^>||m^) 

(where  (i)  is  an  n/2-bit  encoding  of  the  integer  i),  and  send  {r,t). 

4.5  Consider  an  extension  of  the  definition  of  secure  message  authentication 
where  the  adversary  is  provided  with  both  a Mac  and  a Vrfy  oracle. 

(a)  Provide  a formal  definition  of  security  in  this  case,  and  explain 
what  real-world  adversarial  actions  are  modeled  by  providing  the 
adversary  with  a Vrfy  oracle. 

(b)  Show  that  if  II  has  unique  tags  (cf.  Section  4.8),  then  II  satisfies 
your  definition  if  it  satisfies  Definition  4.2. 

(c)  Show  that  if  II  does  not  have  unique  tags,  then  II  may  satisfy 
Definition  4.2  but  not  your  definition. 

4.6  Is  Construction  4.3  necessarily  secure  when  instantiated  using  a weak 
pseudorandom  function  (cf.  Exercise  3.20)?  Explain. 

4.7  Prove  that  Construction  4.5  is  secure  if  it  is  changed  as  follows;  Instead 
of  including  i in  every  block,  set  ti  :=  Ffc(r||6||i||mi)  where  6 is  a single 
bit  such  that  6 = 0 in  all  blocks  but  the  last  one,  and  6 = 1 in  the  last 
block.  What  is  the  advantage  of  this  modification? 

4.8  Show  that  the  basic  CBC-MAC  construction  is  not  secure  when  used  to 
authenticate  messages  of  different  lengths. 

4.9  Prove  that  the  following  modifications  of  CBC-MAC  do  not  yield  a 
secure  fixed-length  MAC: 

(a)  Modify  CBC-MAC  so  that  a random  IV  is  used  each  time  a tag  is 
computed  (and  the  IV  is  output  along  with  tg).  I.e.,  to  {0, 1}’^ 
is  chosen  uniformly  at  random  rather  than  being  fixed  to  and 
the  tag  is  to,t£. 

(b)  Modify  CBC-MAC  so  that  all  blocks  fy, . . . , are  output  (rather 

than  just  ti). 

1 
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4.10  Provide  formal  definitions  for  second  pre-image  resistance  and  pre-image 
resistance.  Formally  prove  that  any  hash  function  that  is  collision  resis- 
tant is  second  pre-image  resistant,  and  that  any  hash  function  that  is 
second  pre-image  resistant  is  pre-image  resistant. 

4.11  Let  (Gerii,iLi)  and  (Gen2,iL2)  be  two  hash  functions.  Define  (Gen,iL) 
so  that  Gen  runs  Geni  and  Gen2  to  obtain  keys  Si  and  S2,  respectively. 
Then  define 

(a)  Prove  that  if  at  least  one  of  (Geni,iLi)  and  (Gen2,iL2)  is  collision 
resistant,  then  (Gen,iL)  is  collision  resistant. 

(b)  Determine  whether  an  analogous  claim  holds  for  second  pre-image 
resistance  and  pre-image  resistance,  respectively.  Prove  your  an- 
swer in  each  case. 

4.12  Let  (Gen,iL)  be  a collision-resistant  hash  function.  Is  (Gen,H)  defined 

^ def 

by  H^{x)  = H^{H^{x))  necessarily  collision  resistant? 

4.13  Provide  a formal  proof  of  Theorem  4.14  (i.e.,  describe  the  formal  reduc- 
tion). 

4.14  Generalize  the  Merkle-Damgard  construction  for  any  compression  func- 
tion that  compresses  by  at  least  one  bit.  You  should  refer  to  a general 
input  length  £'  and  general  output  length  i (with  £'>£). 

4.15  For  each  of  the  following  modifications  to  the  Merkle-Damgard  trans- 
form, determine  whether  the  result  is  collisibn  resistant  or  not.  If  yes, 
provide  a proof;  if  not,  demonstrate  an  attack. 

(a)  Modify  the  construction  so  that  the  input  length  is  not  included  at 
all  (i.e.,  output  zb  and  not  zb+i  = 

(b)  Modify  the  construction  so  that  instead  of  outputting  2 = {zb\\L), 

the  algorithm  outputs  zb\\L. 

(c)  Instead  of  using  a fixed  IV,  choose  IV  ^ {0,1}”  and  define  zq  := 
IV.  Then,  set  the  output  to  be /F  II /i^(zs ||L). 

(d)  Instead  of  using  an  IV,  just  start  the  computation  from  xi.  That 
is,  define  z\  :=  X\  and  then  compute  Zi  :=  h^{zi-i\\xi)  for  i = 
2, . . . , B 1 and  output  zb+i  as  before. 

(e)  Instead  of  using  a fixed  IV,  set  zq  :=  L and  then  compute  Zi  := 

(zi^i\\xi)  lor  i = 1, . . . , B and  output  zb- 

4.16  Provide  a full  and  detailed  specification  of  HMAC  when  the  underlying 
compression  function  has  input  length  £'  and  output  length  £ (with 
£'>£).  Describe  the  instantiation  of  HMAC  with  SHA-1. 
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4.17  Before  HMAC  was  invented,  it  was  quite  common  to  define  a MAC  by 
Macfc(m)  = H^{k\\m)  where  H is  a.  collision-resistant  hash  function. 
Show  that  this  is  not  a secure  MAC  when  H is  constructed  via  the 
Merkle-Damgard  transform. 

4.18  Show  that  Construction  4.19  is  CCA-secure  even  when  the  MAC  of 
Construction  4.5  is  used  (this  MAC  does  not  have  unique  tags). 

4.19  Show  that  if  any  message  authentication  code  having  unique  tags  is  used 
in  the  encrypt- and-authenticate  approach,  the  resulting  combination  is 
not  CPA- secure - 

4.20  Show  an  encryption  scheme  that  is  CCA-secure  but  is  not  a secure  mes- 
sage transmission  scheme. 

4.21  Show  a message  transmission  scheme  that  achieves  authenticated  com- 
munication but  is  not  a secure  message  transmission  scheme. 


4.22  Prove  Theorem  4.25. 


Chapter  5 


Pra.ctica.1  Constructions  of 
Psi^udomndom  Permutations 
(Block  Ciphers) 


In  previous  chapters,  we  have  studied  how  pseudorandom  permutations  can 
be  used  to  construct  secure  encryption  schemes  and  message  authentication 
codes.  However,  one  question  of  prime  importance  that  we  have  not  yet 
studied  is  how  pseudorandom  permutations  are  constructed  in  the  first  place, 
or  even  whether  they  exist  at  all!  In  the  next  chapter  we  will  study  these 
questions  from  a theoretical  vantage  point,  and  show  constructions  of  pseu- 
dorandom permutations  that  can  be  proven  secure  based  on  quite  weak  as- 
sumptions. In  this  chapter,  our  focus  will  be  on  comparatively  heuristic,  but 
far  more  efficient,  constructions  of  pseudorandom  permutations  — known  as 
block  ciphers  — that  are  used  in  practice. 

As  just  mentioned,  the  constructions  of  block  ciphers  that  we  will  explore 
in  this  chapter  are  (for  the  most  part)  heuristic,  at  least  in  the  sense  that  they 
have  no  known  proof  of  security  based  on  any  weaker  assumption.  Neverthe- 
less, a number  of  the  block  ciphers  that  are  used  in  practice  have  withstood 
many  years  of  public  scrutiny  and  attempted  cryptanalysis,  and  given  this  fact 
it  is  quite  reasonable  to  assume  that  these  block  ciphers  are  indeed  (strong) 
pseudorandom  permutations,  subject  to  the  technical  issues  discussed  below. 

Of  course,  in  some  sense  there  is  no  fundamental  difference  between  assum- 
ing, say,  that  factoring  is  hard  and  assuming  that  DES  (a  block  cipher  we  will 
study  in  detail  later  in  this  chapter)  is  a pseudorandom  permutation.  There 
is,  however,  a significant  qualitative  difference  between  these  assumptions.^ 
The  primary  difference  is  that  the  former  assumption  is  of  a weaker  type: 
That  is,  the  requirement  that  a certain  problem  (i.e.,  factoring)  be  hard  to 
solve  seems  “easier  to  satisfy”  than  the  requirement  that  a given  keyed  func- 
tion be  indistinguishable  from  a random  function.  Less  important  but  still 
relevant  differences  between  the  assumptions  are  that  the  problem  of  factor- 
ing has  been  studied  much  longer  than  the  problem  of  distinguishing  DES 
from  a random  function,  and  the  fact  that  factoring  was  recognized  as  a hard 
mathematical  problem  well  before  the  advent  of  cryptographic  schemes  based 


^It  should  be  clear  that  the  discussion  in  this  paragr^,ph  is  informal,  as  we  cannot  formally 
argue  about  any  of  this  when  we  cannot  even  prove  that  factoring  is  hard  in  the  first  place! 
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on  it.  We  remark  further  that  most  of  the  cryptanalytic  effort  directed  at 
DES  and  other  block  ciphers  has  focused  on  key-recovery  attacks,  where  the 
goal  is  to  recover  the  key  k given  multiple  pairs  {x,  DESk{x));  comparatively 
less  research  has  been  specifically  aimed  at  the  (potentially  easier)  problem  of 
distinguishing  DES  from  a random  function.  (This  is  perhaps  less  true  with 
more  modern  block  ciphers;  see  below.) 

To  summarize,  the  assumption  that  a well-studied  block  cipher  such  as 
DES  is  pseudorandom  is  indeed  a reasonable  one,  and  one  that  people  are 
comfortable  relying  on  in  practice.  Still,  it  would  be  preferable  to  be  able  to 
base  security  of  modern-day  block  ciphers  on  weaker  and  more  long-standing 
assumptions.  As  we  will  see  in  Chapter  6,  this  is  (in  principle)  possible; 
unfortunately,  the  constructions  we  will  see  there  are  orders  of  magnitude  less 
efficient  than  the  block  ciphers  in  use  today. 

Block  Ciphers  as  Strong  Pseudorandom  Permutations 

A block  cipher  is  an  efficient,  keyed  permutation  F : {0, 1}”  x {0,1}^  -> 
{0, 1}^.  Recall  from  Section  3.6.3  that  this  means  the  function  defined  by 
Fk{x)  = F(k,x)  is  a bijection  (i.e.,  a permutation),  and  moreover  Fk  and  its 
inverse  F^^  are  efficiently  computable  given  k.  We  refer  to  n as  the  key  length 
and  ^ as  the  block  length  of  F.  Departing  from  our  convention  in  Chapter  3, 
we  no  longer  require  that  n = £ (though  that  will  often  be  the  case).  A 
more  important  difference  is  that  here  n and  i are  fixed  constants,  whereas 
in  Chapter  3 they  were  viewed  as  functions  of  a security  parameter  n.  This 
essentially  puts  us  in  a setting  of  concrete  security  rather  than  asymptotic 
security,  as  discussed  further  below.^ 

Despite  their  name,  block  ciphers  should  be  viewed  as  (strong)  pseudoran- 
dom permutations  and  not  as  encryption  schemes.  Stated  differently,  block 
ciphers  should  be  viewed  as  building  blocks  for  encryption  and  other  schemes, 
and  not  as  encryption  schemes  themselves.  As  discussed  in  Chapter  3,  mod- 
eling block  ciphers  as  (strong)  pseudorandom  permutations  allows  rigorous 
proofs  of  security  for  constructions  based  on  block  ciphers,  and  also  makes 
explicit  the  necessary  requirernents  on  the  block  cipher.  Moreover,  a solid 
understanding  of  what  block  ciphers  are  supposed  to  achieve  (e.g.,  as  per 
Definition  3.28)  is  instrumental  iri  their  design.  The  view  that  block  ciphers 
should  be  modeled  as  pseudorandom  permutations  has,  at  least  in  the  recent 
past,  served  as  a major  influence  in  their  design.  As  an  example,  the  call  for 
proposals  for  the  recent  Advanced  Encryption  Standard  (AES)  that  we  will 
encounter  later  in  this  chapter  stated  the  following  evaluation  criteria: 


^Though  a block  cipher  with  fixed  key  length  has  no  “security  parameter”  to  speak  of,  we 
still  view  security  as  depending  on  the  length  of  the  key  and  thus  denote  this  value  by  n. 
We  remark  that  viewing  the  key  length  as  a parameter  makes  sense  when  comparing  block 
ciphers  having  different  key  lengths,  or  when  using  a block  cipher  that  supports  keys  of 
different  lengths. 
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The  seeurity  provided  by  an  algorithm  is  the  most  important  fac- 
tor. . . ; Algorithms  will  be  judged  on  the  following  factors. . . 

• The  extent  to  whieh  the  algorithm  output  is  indistinguishable 
from  a random  permutation  on  the  input  bloek. 

Essentially,  this  states  that  a block  cipher  should  be  a pseudorandom  per- 
mutation. (It  is  unclear  to  what  extent  submitted  proposals  were  evaluated 
as  strong  pseudorandom  permutations.  Nevertheless,  had  an  attack  been 
demonstrated  showing  that  some  proposal  did  not  satisfy  this  criterion,  it  is 
unlikely  the  proposal  would  have  been  adopted.)  Thus,  as  we  have  stated, 
modern  block  ciphers  are  intended  to  be  pseudorandom  permutations.  As 
such,  they  are  suited  for  use  in  all  the  constructions  relying  on  pseudorandom 
permutations  (or  pseudorandom  functions)  that  we  have  seen  in  this  book. 

Block  ciphers  zind  Definition  3.28.  Although  we  treat  block  ciphers  as 
pseudorandom  permutations,  a technical  difficulty  is  that  any  fixed  block  ci- 
pher is  typically  only  defined  for  a fixed  key  length  and  block  length.  This 
means  that  an  asymptotic  definition  of  security  as  in  Definition  3.28  does  not 
apply.  A similar  problem  arose  (though  we  did  not  dwell  on  it  there)  when  we 
considered  practical  constructions  of  collision-resistant  hash  functions  such  as 
SHA-1.  In  both  cases,  the  appropriate  way  to  deal  with  this  is  to  understand 
that  block  ciphers  are  only  intended  to  be  indistinguishable  from  random  for 
attackers  running  “for  any  reasonable  amount  of  time”  (say,  100  years  using 
the  strongest  available  computers).  This  can  be  treated  formally  within  the 
framework  of  eonerete  seeurity,  briefly  mentioned  in  Section  3.1.1. 

Attacks  on  Block  Ciphers 

Notwithstanding  the  fact  that  block  ciphers  should  not  be  confused  with 
encryption  schemes,  the  standard  terminology  (that  we  will  adopt  here)  for 
attacks  on  a block  cipher  F refers  to: 

• Ciphertext- only  attaeks,  where  the  attacker  is  given  only  a series  of  out- 
puts {Tfc(a;i)}  for  some  inputs  {xi]  unknown  to  the  attacker 

•:  Known-plaintext  attaeks,  where  the  attacker  is  given  pairs  of  inputs  and 
outputs  { (xi , Ffc  (xj)) } 

• Chosen- plaintext  attacks,  where  the  attacker  is  given  {{xi,  Fk{xi)}  for  a 
series  of  inputs  {xi}  that  are  chosen  by  the  attacker 

• Chosen- ciphertext  attaeks,  where  the  attacker  is  given  {{xi,  Fk{xi)}  and 

{(E^  Vi)}  for  {xi},  {yi]  chosen  by  the  attacker. 

In  view  of  the  above,  a pseudorandom  permutation  is  secure  against  chosen- 
plaintext  attacks,  while  a strong  pseudorandom  permutation  is  secure  against 
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chosen-ciphertext  attacks.  In  an  asymptotic  sense,  this  refers  to  attacks  run- 
ning in  polynomial  time.  As  mentioned  just  previously,  though,  block  ciphers 
typically  have  some  fixed  block  length  and  key  length,  and  so  asymptotic  mea- 
sures are  useless.  Instead,  the  goal  is  for  a block  cipher  to  be  unbreakable  in 
any  reasonable  amount  of  time.  This  is  interpreted  very  strictly  in  the  context 
of  block  ciphers,  and  a block  cipher  is  generally  only  considered  “good”  if  the 
best  known  attack  has  time  complexity  roughly  equivalent  to  a brute-force 
search  for  the  key.  Thus,  if  a cipher  with  key  length  n = 112  can  be  broken 
in  time  2®®  (we  will  see  such  an  example  later),  the  cipher  is  (generally)  con- 
sidered insecure  even  though  2®®  is  still  a relatively  large  number.  Note  that 
in  an  asymptotic  setting,  an  attack  of  complexity  2”/^  is  not  feasible  since  it 
requires  exponential  time  (and  thus  a cipher  where  such  an  attack  is  possi- 
ble might  still  satisfy  the  definition  of  being  a pseudorandom  permutation). 
In  a non-asymptotic  setting,  however,  we  must  worry  about  the  actual  time 
complexity  of  the  attack  (rather  than  its  asymptotic  behavior).  Furthermore, 
we  are  concerned  that  existence  of  such  an  attack  may  indicate  some  more 
fundamental  weakness  in  the  design  of  the  cipher. 

The  Aim  of  this  Chapter 

To  head  off  any  confusion,  we  stress  that  the  main  aim  of  this  chapter  is 
to  present  some  design  principles  used  in  the  construction  of  modern  block 
ciphers,  with  a secondary  aim  being  to  introduce  the  reader  to  the  popular 
block  ciphers  DES  and  AES.  We  caution  the  reader  that: 

• It  is  not  our  intent  to  present  the  low-level  details  of  DES  or  AES, 
and  our  description  of  these  block  ciphers  should  not  be  relied  upon  for 
implementation.  To  be  clear:  our  descriptions  of  these  ciphers  are  often 
(purposefully)  inaccurate,  as  we  omit  certain  technical  details  when  they 
are  not  relevant  to  the  broader  point  we  are  trying  to  emphasize. 

• It  is  also  not  the  aim  of  this  chapter  to  teach  how  to  construct  se- 
cure block  ciphers.  On  the  contrary,  we  strongly  believe  that  new  (and 
proprietary)  block  ciphers  should  neither  be  constructed  nor  used  since 
numerous  excellent  block  ciphers  are  readily  available. 

Those  who  are  interested  in  developing  expertise  in  constructing  block 
ciphers  are  advised  to  start  with  the  references  at  the  end  of  this  chapter. 


5.1  Substitution-Permutation  Networks 

The  main  property  required  of  a block  cipher  is  that  it  should  behave  like 
a random  permutation.  Of  course,  a truly  random  permutation  would  be 
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perfect.  However,  a random  permutation  having  a bloek  length  (i.e.,  input 
and  output  length)  of  n bits  would  require  log(2”!)  ss  n • 2”  bits  for  its  repre- 
sentation, something  that  is  impractical  for  n > 20  and  completely  infeasible 
for  n > 50.  (Looking  ahead,  in  practice  a block  length  of  n 64  is  already 
too  small  in  some  cases,  and  modern  block  ciphers  thus  have  block  lengths 
of  n > 128.)  Thus,  we  need  to  somehow  construct  a eoncise  function  that 
behaves  like  a random  one. 

The  confusion- diffusion  paradigm.  In  addition  to  his  work  on  perfect  se- 
crecy, Shannon  introduced  a basic  paradigm  for  constructing  concise  random- 
looking permutations.  The  basic  idea  is  to  construct  a random-looking  per- 
mutation F with  a large  block  length  from  many  smaller  random  (or  random- 
looking) permutations  {fi}  having  a small  block  length.  Let  us  see  how  this 
works  on  the  most  basic  level.  Say  we  want  F to  have  a block  length  of  128 
bits.  We  can  define  F as  follows:  the  key  k for  F will  specify  16  random  per- 
mutations /i, . . . , fie  that  each  have  an  8-bit  block  length.^  Given  an  input 
X 6 {0, 1}^^®,  we  parse  it  as  16  consecutive  8-bit  blocks  xi  • • • x\e  and  then  set 

Fk{x)  ^ fi{xi)  ■ ■ ■ fie{xie).  (5.1) 

We  say  (informally)  that  these  {fi}  introduce  confusion  into  F. 

It  should  be  immediately  clear,  however,  that  F as  defined  above  will  not 
be  pseudorandom.  Specifically,  if  x and  x'  differ  only  in  their  first  bit  then 
Fk{x)  and  F]^{x')  will  differ  only  in  their  first  byte  (regardless  of  the  value 
of  k):  In  contrast,  if  F were  a truly  random  permutation  then  changing  the 
first  bit. of  the  input  would  be  expected  to  affect  all  bytes  of  the  output. 

For  this  reason,  two  additional  changes  are  introduced.  First,  a diffusion 
step  is  introduced  whereby  the  bits  of  the  output  are  permuted'^  or  “mixed” . 
Second,  the  confusion/ diffusion  steps  — together  called  a round  - — are  re- 
peated multiple  times.  As  an  example,  a two-round  block  cipher  would  op- 
erate as  follows:  first,  x'  :=  Fk{x)  would  be  computed  as  in  Equation  (5.1). 
Then  the  bits  of  x'  would  be  re-ordered  to  give  xi.  Then  x'-^  :=  Fk{xi)  would 
be  computed,  and  the  bits  of  x{  would  be  re-ordered  to  give  the  output  X2- 
We  remark  that  the  functions  {fi}  as  well  as  the  permutations  used  in  each 
round  need  not  be  the  same.  It  is  typical  to  assume  that  the  mixing  permu- 
tations used  in  each  round  are  fixed  (i.e.,  independent  of  the  key),  though  a 
dependence  on  the  key  could  also  be  introduced. 

Repeated  use  of  confusion  and  diffusion  ensures  that  any  small  change  in 
the  input  will  be  mixed  throughout  and  propagated  to  all  the  bits  of  the 
output.  The  effect  is  that  small  changes  to  the  input  have  a significant  effect 
on  the  output,  as  one  would  expect  of  a random  permutation. 


^Since  a random  permutation  on  8 bits  can  be  represented  using  Ri  8 -2^  bits,  the  length  of 
the  key  for  F is  about  16  • 8 • 2®  bits,  or  32  Kbits.  This  is  much  smaller  than  the  ^ 128  • 2^^® 
bits  that  would  be  required  to  specify  a random  permutation  on  128  bits. 

'^In  this  context,  “permuting”  refers  to  re-ordering  the  bits. 
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Substitution-permutation  networks.  A substitution-permutation  net- 
work can  be  viewed  as  a direct  implementation  of  the  confusion-diffusion 
paradigm.  The  main  difference  here  is  that  we  view  the  round  functions  {fi} 
as  being  fixed  (rather  than  depending  on  the  key  k),  and  the  key  is  used  for 
a different  purpose  as  we  will  shortly  explain.  We  now  refer  to  the  {fi}  as  S- 
boxes  since  they  act  as  fixed  “substitution  functions”  (we  continue  to  require 
that  they  be  permutations). 

A substitution-permutation  network  essentially  follows  the  steps  of  the 
confusion-diffusion  paradigm  outlined  earlier.  However,  since  the  S'-boxes  no 
longer  depend  on  the  key,  we  need  to  introduce  dependence  in  some  other  way. 
(In  accordance  with  Kerckhoffs’  principle,  we  assume  that  the  exact  structure 
of  the  ^-boxes  and  the  mixing  permutations  are  publicly-known,  with  the 
only  secret  being  the  key.)  There  are  many  ways  this  can  be  done,  but  we  will 
focus  here  on  the  case  where  this  is  done  by  simply  XORing  some  function 
of  the  key  with  the  intermediate  results  that  are  fed  as  input  to  each  round 
of  the  network.  The  key  to  the  block  cipher  is  sometimes  referred  to  as  the 
master  key,  and  the  sub-keys  that  are  XORed  with  the  intermediate  results 
in  each  round  are  derived  from  the  master  key  according  to  a key  sehedule. 
The  key  schedule  is  often  very  simple  and  may  work  by  just  taking  subsets  of 
the  bits  of  the  key  (for  example,  a two-round  network  may  use  the  first  half 
of  the  master  key  in  the  first  round  and  the  second  half  of  the  master  key  in 
the  second  round),  though  more  complex  schedules  can  also  be  defined.  See 
Figure  5.1  for  the  high-level  structure  of  a substitution-permutation  network, 
and  Figure  5.2  for  a closer  look  at  a single  round  of  such  a network. 

The  exact  choices  of  the  S'-boxes,  mixing  permutationSj  and  key  schedule  are 
what  ultimately  determine  whether  a given  block  cipher  is  trivially  breakable 
or  highly  secure.  We  will  only  discuss  at  a cursory  level  some  basic  principles 
behind  their  design.  The  first  principle  is  simply  a functional  requirement, 
while  the  second  is  more  specifically  related  to  security. 

Design  principle  1 — invertibility  of  the  ^-boxes.  In  a substitution- 
permutation  network,  the  S'-boxes  must  be  invertible;  that  is,  they  must  be 
one-to-one  and  onto  functions.  The  reason  for  this  is  that  otherwise  the  block 
cipher  will  not  be  a permutation.  To  see  that  making  the  S-boxes  one-to-one 
and  onto  suffices,  we  show  that  when  this  holds  it  is  possible  to  fully  determine 
the  input  given  the  output  and  the  key.  Specifically,  we  show  that  every  round 
can  be  inverted  (implying  that  the  entire  network  can  be  inverted  by  working 
from  the  end  back  to  the  beginning) . Recall  that  a round  now  consists  of  three 
stages:  XORing  the  sub-key  with  the  output  of  the  previous  round,  passing 
the  result  through  the  S'-boxes  (as  in  Equation  (5.1)),  and  finally  re-ordering 
the  bits  of  this  result  using  a mixing  permutation.  The  mixing  permutation 
can  easily  be  inverted  since  it  is  just  a re-ordering  of  bits.  If  the  S-boxes  are 
one-to-one  and  onto,  these  too  can  be  inverted.  The  result  can  then  be  XORed 
with  the  appropriate  sub-key  to  obtain  the  original  input.  We  therefore  have: 
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FIGURE  5.2:  A single  round  of  a substitution-permutation  network. 

PROPOSITION  5.1  Let  F be  a keyed  function  defined  by  a substitution- 
permutation  network  in  which  the  S -boxes  are  all  one-to-one  and  onto.  Then 
regardless  of  the  key  schedule  and  the  number  of  rounds,  Fk  is  a permutation 
for  any  choice  of  k . 

Design  principle  2 — the  avalanche  effect.  An  important  property  in 
any  block  cipher  is  that  small  changes  to  the  input  must  result  in  large  changes 
to  the  output.  Otherwise,  the  outputs  of  the  block  cipher  on  two  similar  inputs 
will  not  look  independent  (whereas  in  a random  permutation,  the  outputs  of 
any  two  unequal  inputs  are  independently  distributed).  To  ensure  that  this  is 
the  case,  block  ciphers  are  designed  to  exhibit  the  avalanche  effect,  meaning 
that  changing  a single  bit  of  the  input  affects  every  bit  of  the  output.  (This 
does  not  mean  that  changing  one  bit  of  the  input  changes  every  bit  of  the 
output,  only  that  it  has  some  effect  on  every  bit  of  the  output.  Note  that  even 
for  a completely  random  function,  changing  one  bit  of  the  input  is  expected 
to  change  only  half  the  bits  of  the  output,  on  average.) 

It  is  easy  to  demonstrate  that  the  avalanche  effect  holds  in  a substitution- 
permutation  network  provided  that  the  following  two  properties  hold  (and 
sufficiently-many  rounds  are  used): 

•I 
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1.  The  S -boxes  are  designed  so  that  ehanging  a single  bit  of  the 
input  to  an  S-box  changes  at  least  two  bits  in  the  output  of 
the  S-box. 

2.  The  mixing  permutations  are  designed  so  that  the  output  bits 
of  any  given  S-box  are  spread  into  different  S -boxes  in  the 
next  round. 

To  see  how  this  yields  the  avalanche  effect,  assume  that  the  S'-boxes  are  all 
such  that  changing  a single  bit  of  the  input  of  the  S'-box  results  in  a change  in 
exactly  two  bits  of  the  output  of  the  S'-box,  and  that  the  mixing  permutations 
are  chosen  as  required  above.  For  concreteness,  assume  the  S'-boxes  have 
input/output  size  of  4 bits,  and  that  the  block  length  of  the  cipher  is  128  bits. 
Consider  now  what  happens  when  the  block  cipher  is  applied  to  two  inputs 
that  differ  by  only  a single  bit: 

1.  After  the  first  round,  the  intermediate  values  differ  in  exactly  two  bit- 
positions.  This  is  because  XORing  the  current  sub-key  maintains  the 
1-bit  difference  in  the  intermediate  values,  and  so  the  inputs  to  all  the  S- 
boxes  except  one  are  identical.  In  the  one  S-box  where  the  inputs  differ, 
the  output  of  the  S-box  causes  a 2-bit  difference.  The  mixing  permu- 
tation applied  to  the  results  changes  the  positions  of  these  differences, 
but  maintains  a 2-bit  difference. 

2.  By  the  second  property  mentioned  earlier,  the  mixing  permutation  ap- 
plied at  the  end  of  the  first  round  spreads  the  two  bit-pOsiti'Ohs 'WhOre  ‘ 
the  intermediate  results  differ  into  two  different  S-boxes  in  the  second 
round.  (This  remains  true  even  after  the  appropriate  sub-key  is  XORed 
with  the  result  of  the  previous  round.)  So,  in  the  second  round  there  are 
now  two  S-boxes  that  receive  inputs  differing  by  a single  bit.  Following 
the  same  argument  as  before,  we  see  that  at  the  end  of  the  second  round 
the  intermediate  values  differ  in  4 bits. 

3.  Continuing  with  the  same  argument,  we  expect  8 bits  of  the  intermediate 
value  to  be  affected  after  the  3rd  round,  16  bits  to  be  affected  after  the 
4th  round,  and  all  128  bits  of  the  output  to  be  affected  at  the  end  of 
the  7 th  round. 

The  last  point  is  not  quite  precise  and  it  is  certainly  possible  that  (depending 
on  the  exact  inputs,  as  well  as  the  exact  choice  of  the  S-boxes  and  mixing 
permutations)  there  will  be  fewer  differences  than  expected  at  the  end  of 
some  round.  For  this  reason,  it  is  typical  to  use  more  than  7 rounds.  The 
importance  of  the  last  point  is  that  it  gives  a lower  bound  on  the  number  of 
rounds:  if  fewer  than  7 rounds  are  used  then  there  must  be  some  set  of  output 
bits  that  are  not  affected,  implying  that  it  will  be  possible  to  distinguish  the 
cipher  from  a random  permutation. 

One  might  expect  that  the  “best”  way  to  design  S-boxes  would  be  to  choose 
them  at  random  (subject  to  the  restriction  that  they  should  be  one-to-one 
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and  onto).  Interestingly,  this  turns  out  not  to  be  the  case,®  at  least  if  we 
want  to  satisfy  the  above  criterion.  For  example,  consider  the  case  of  an  S- 
box  operating  on  4-bit  inputs  and  let  x and  x'  be  two  different  inputs.  Let 
y = <S'(x),  and  now  consider  choosing  y'  ^ y at  random  as  the  value  of  S(x'). 
There  are  4 strings  that  differ  from  y in  only  1 bit,  and  so  with  probability 
4/15  > 1/4  we  will  choose  y'  that  does  not  differ  from  y in  two  or  more  bits. 
The  problem  is  compounded  when  we  consider  all  inputs,  and  becomes  even 
worse  when  we  consider  that  multiple  S'-boxes  are  needed.  We  conclude  based 
on  this  example  that,  as  a general  rule,  it  is  best  to  carefully  design  S'-boxes 
with  certain  desired  properties  (in  addition  to  the  one  discussed  above)  rather 
than  choosing  them  blindly  at  random. 

In  addition  to  the  above,  we  remark  also  that  randomly-chosen  S'-boxes 
are  not  the  best  for  defending  against  attacks  like  the  ones  we  will  show  in 
Section  5.6. 


Security  of  Substitution-Permutation  Networks 

Experience,  alorig  with  many  years  of  cryptanalytic  effort,  indicate  that 
substitution-permutation  networks  are  a good  choice  for  constructing  pseu- 
dorandom permutations  as  long  as  great  care  is  taken  in  the  choice  of  the 
S'-boxes,  the  mixing  permutations,  and  the  key  schedule.  The  Advanced  En- 
cryption Standard  (AES),  described  in  Section  5.5,  is  similar  in  structure  to 
the  substitution-permutation  network  described  above,  and  is  widely  believed 
to  be  a very  strong  pseudorandom  permutation. 

It  is  important  to  understand,  however,  that  the  strength  of  a cipher  con- 
structed in  this  way  depends  heavily  on  the  number  of  rounds  used.  In  order 
to  obtain  more  of  an  insight  into  substitution-permutation  networks,  we  will 
demonstrate  attacks  on  block  ciphers  of  this  type  that  have  very  few  rounds. 
These  attacks  are  straightforward,  but  are  worth  seeing  as  they  demonstrate 
conclusively  why  a large  number  of  rounds  are  needed. 

Attacks  on  reduced-round  substitution- permutation  networks.  Ac- 
cording to  the  definition  of  a pseudorandom  permutation  (see  Definition  3.23), 
the  adversary  is  given  an  oracle  that  is  either  a random  permutation  or  the 
given  block  cipher  (with  a randomly-chosen  key) . The  aim  of  the  adversary  is 
to  determine  which  is  the  case.  Clearly,  if  an  adversary  can  obtain  the  secret 
key  of  the  block  cipher,  then  it  can  distinguish  it  from  a random  permuta- 
tion. Such  an  attack  is  called  a complete  break  because  once  the  secret  key  is 
learned,  no  security  remains. 


®The  situation  here  is  different  from  our  earlier  discussion  of  the  confusion-diffusion 
paradigm.  There,  the  round  functions/S-boxes  depended  on  the  key  and  were  therefore 
unknown  to  the  adversary.  Here,  the  round  functions  are  fixed  and  publicly-known,  and 
the  question  is  what  fixed  functions  are  best. 
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Attack  on  a single-round  substitution- permutation  network:  Let  F be  a single- 
round substitution-permutation  network.  We  demonstrate  an  attack  where 
the  adversary  is  given  only  a single  input/output  pair  (x,  y)  for  a randomly- 
chosen  input  value  x,  and  easily  learns  the  secret  key  k for  which  y = Fk(x). 
The  adversary  begins  with  the  output  value  y and  then  inverts  the  mixing 
permutation  and  the  5'-boxes.  It  can  do  this  because  the  specification  of 
the  permutation  and  the  S'-boxes  is  public.  The  intermediate  value  that  the 
adversary  computes  from  these  inversions  is  exactly  x®k  (assuming,  without 
loss  of  generality,  that  the  master  key  is  used  as  the  sub-key  in  the  only  round 
of  the  network).  Since  the  adversary  also  has  the  input  a;,  it  immediately 
derives  the  secret  key  k.  This  is  therefore  a complete  break. 

Attack  on  a two-round  substitution-permutation  network:  We  again  show  an 
attack  that  recovers  the  secret  key,  though  the  attack  now  takes  more  time. 
Consider  the  following  concrete  parameters.  Let  the  block  length  of  the  cipher 
be  64  bits,  and  let  each  S'-box  have  a 4-bit  input/ output  length.  Furthermore, 
let  the  key  A:  be  of  length  128  bits  where  the  first  half  6 {0,1}®'^  of  the 
key  is  used  in  the  first  round  and  the  second  half  k^  6 {0, 1}®'^  is  used  in  the 
second  round.  We  use  independent  keys  here  to  simplify  the  description  of 
the  attack  below,  but  this  only  makes  the  attack  more  difficult. 

Say  the  adversary  is  given  an  input  x and  the  output  y = Fk{x)  of  the 
cipher.  The  adversary  begins  by  “working  backward”,  inverting  the  mixing 
permutation  and  S'-boxes  in  the  second  round  of  the  cipher  (as  in  the  previous 
attack).  Denote  by  w\  the  first  4 bits  of  the  result.  Letting  o;i  denote  the 
first  4 bits  of  the  output  of  the  first  round,  we  have  that  wi  — a\  ® k\, 
where  k\  denotes  the  first  4 bits  of  k^.  (The  adversary  does  not  know  o;i  or 
k^. ) The  important  observation  here  is  that  when  “working  forward.”  starting 
..with,  the  input  x,  the  value  of  a\  is  influenced  by  at  most  4 differeht  S-boxes 
(because,  in  the  worst  case,  each  bit  of  a\  comes  from  a different  S-box  in  the 
first  round).  Furthermore,  since  the  mixing  permutation  of  the  first  round 
is  known,  the  adversary  knows  exactly  which  of  the  5'-boxes  influence  a\. 
This,  in  turn,  means  that  at  most  16  bits  of  the  key  k°‘  (in  known  positions) 
influence  the  computation  of  these  four  5'-boxes.  It  follows  that  the  adversary 
can  guess  the  appropriate  16  bits  of  and  the  4-bit  value  k^,  and  then 
verify  possible  correctness  of  this  guess  using  the  known  input/output  pair 
(x,  y).  This  verification  is  carried  out  by  XO Ring  the  relevant  16  bits  of  the 
input  X with  the  relevant  16  bits  of  computing  the  resulting  a\,  and  then 
comparing  w\  to  a\  0 k^  (where  k^  is  also  part  of  the  guess).  If  equality  is 
not  obtained,  then  the  guess  is  certainly  incorrect.  If  equality  is  obtained, 
then  the  guess  may  be  correct.  Proceeding  in  this  way,  the  adversary  can 
exhaustively  find  all  values  of  these  20  bits  of  the  key  that  are  consistent  with 
the  given  (x,y).  This  takes  time  2^°  to  try  each  possibility. 

If  we  make  the  simplifying  assumption  that  an  incorrect  guess  (i.e.,  one 
which  does  not  correspond  to  the  bits  of  the  key  k that  is  actually  being 
used)  yields  a random  value  for  ai  0 then  we  expect  an  incorrect  guess  to 
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pass  the  above  verification  test  with  probability  = 1/16.  This  means 

that  we  expect  roughly  2^°/16  = 2^®  possibilities  to  pass  the  test  (including 
the  correct  possibility).  If  we  now  repeat  the  above  using  an  additional  in- 
put/output pair  we  expect  to  again  eliminate  roughly  15/16  of  the 

incorrect  possibilities,  and  we  see  that  if  we  carry  this  out  repeatedly  using 
many  different  input/output  pairs,  we  expect  to  be  left  with  only  one  guess  of 
the  20  bits  of  the  key  that  is  consistent  with  all  the  given  input/output  pairs. 
This  will,  of  course,  have  to  be  correct. 

For  concreteness,  assume  that  8 input/output  pairs  are  used  to  narrow 
down  to  a single  possibility.  Then  the  adversary  learns  the  4 bits  of  k\  ilji 
time  8 • 2^0  = 223.  This  can  be  repeated  for  all  16  portions  of  A:^,  leading 
to  an  attack  with  total  complexity  of  16  • 2^3  = 2^^  for  learning  the  64-bit 
value  k^.  Along  the  way  the  adversary  also  learns  all  .64  bits  of  A:“.  This  in 
fact  over-estimates  the  time  complexity  of  the  attack  since  certain  portions 
of  will  be  re-used,  and  previously-determined  portions  of  do  not  need 
to  be  guessed  again.  In  any  case,  an  attack  having  time  complexity  2^^  is 
well  within  practical  reach,  and  is  much  less  than  the  2^28  complexity  that 
“should”  be  required  to  perform  an  exhaustive  search  for  a 128-bit  key. 

There  is  an  important  lesson  to  be  learned  from  the  above.  The  attack  is 
possible  since  different  parts  of  the  key  can  be  isolated  from  other  parts  (it 
is  much  quicker  to  carry  out  16  attacks  of  time  223  that  reveal  4 bits  of  k^ 
each  time,  than  a single  attack  of  time  2^®  “^  = 2^^).  Thus,  further  diffusion 
is  needed  to  make  sure  that  all  the  bits  of  the  key  affect  all  of  the  bits  of  the 
output.  Two  rounds  are  not  enough  for  this  to  take  place. 

Attack  on  a three-round  substitution-permutation  network:  In  this  case  we 
present  a weaker  attack;  instead  of  learning  the  key,  we  just  show  that  it  is 
easy  to  distinguish  a three-round  substitution-permutation  network  from  a 
pseudorandom  permutation.  This  attack  is  based  on  the  observation,  men- 
tioned earlier,  that  the  avalanche  effect  is  not  complete  after  only  three  rounds 
(of  course,  this  depends  on  the  block  length  of  the  cipher  and  the  input/output 
length  of  the  S'-boxes,  but  with  reasonable  parameters  this  will  be  the  case). 
Thus,  the  adversary  just  needs  to  ask  for  the  function  to  be  computed  on 
two  strings  that  differ  on  only  a single  bit.  A three-round  block  cipher  will 
have  the  property  that  many  bits  of  the  output  will  be  the  same  in  each  case, 
making  it  easy  to  distinguish  "from  a random  permutation. 


5.2  Feistel  Networks 

A Feistel  network  is  an  alternative  approach  for  constructing  a block  ci- 
pher. The  low-level  building  blocks  (S'-boxes,  mixing  permutations,  and  a 
key  schedule)  are  the  same;  the  difference  is  in  the  high-level  design.  The 
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FIGURE  5.3:  A 4-round  Feistel  network. 


advantage  of  Feistel  networks  over  substitution-permutation  networks  is  that 
a Feistel  network  eliminates  the  requirement  that  S'-boxes  bfe  invertible.  This 
is  important  because  a good  block  cipher  should  have  “unstructured”  behav- 
ior (so  that  it  looks  random);  however,  requiring  that  all  the  components  . of 
the  construction  be  invertible  inherently  introduces  structure.  A Fezste/  net-^ 
work  is  thus  a way  of  constructing  an  invertible  function  from  non-invertible 
components.  This  seems  like  a contradiction  in  terms  — if  you  cannot  invert 
the  components,  it  seems  impossible  to  invert  the  overall  structure  — but  the 
Feistel  design  ingeniously  achieves  this. 

A Feistel  network,  as  in  the  case  of  a substitution-permutation  network, 
operates  in  a series  of  rounds.  In  each  round,  a round  function  is  applied  in 
a specific  manner  that  will  be  described  below.  In  a Feistel  network,  round 
functions  need  not  be  invertible.  Round  functions  typically  contain  compo- 
nents like  5-boxes  and  mixing  permutations,  but  a Feistel  network  can  deal 
with  any  round  functions  irrespective  of  their  design.  When  the  round  func- 
tions are  constructed  from  5-boxes,  the  designer  has  more  freedom  since  the 
5-boxes  need  not  be  invertible. 

The  zth  round  of  a Feistel  network  operates  as  follows.  The  input  to  the 
round  is  divided  into  two  halves  denoted  and  Ri-\  (with  L and  R de- 
noting the  “left  half”  and  “right  half”  of  the  input,  respectively).  If  the  block 
length  of  the  cipher  is  n bits,  then  and  Ri-i  each  have  length  n/2,  and 
the  zth  round  function  fi  will  take  an  n/2-bit  input  and  produce  an  n/2-bit 
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output.  (We  stress  again  that  although  the  input  and  output  lengths  of  /* 
are  the  same,  it  is  not  necessarily  one-to-one  and  onto.)  The  output  (Lj,  Ri) 
of  the  round,  where  Li  and  Ri  again  denote  the  left  and  right  halves,  is  given 
by 


Li'.—  Ri-i  and  i?i  :=  Li_i  © (5.2) 

In  a t-round  Feistel  network,  the  n-bit  input  to  the  network  is  parsed  as 
{Lq,Rq),  and  the  output  is  the  n-bit  value  {Lt,  Rt)  obtained  after  applying 
all  Grounds.  A 4-round  Feistel  network  is  shown  in  Figure  5.3. 

We  have  not  yet  discussed  how  dependence  on  the  key  is  introduced.  As 
in  the  case  of  substitution-permutation  networks,  the  master  key  k is  used 
to  derive  sub-keys  that  are  used  in  each  round;  the  zth  round  function  fi 
depends  on  the  zth  sub-key,  denoted  ki.  Formally,  the  design  of  a Feistel 
network  specifies  a publicly-known  mangier  function  fi  associated  with  each 
round  i.  This  function  fi  takes  as  input  a sub-key  ki  and  an  n/2-bit  string 
and  outputs  an  n/ 2-bit  string.  When  the  master  key  is  fixed  — thereby  fixing 

each  sub-key  ki  — the  zth  round  function  fi  is  defined  via  fi{R)  fi{ki,  R). 

Inverting  a Feistel  network.  A Feistel  network  is  invertible  regardless  of 
the  round  functions  {fi}  (and  thus  regardless  of  the  mangier  functions  {fi})- 
To  show  this  we  need  only  show  that  any  given  round  of  the  network  can 
be  inverted.  Given  the  output  {Li,Ri)  of  the  zth  round,  we  can  compute 
(Li_i,i?i_i)  as  follows:  first  set  Ri~i  Li.  Then  compute 

Li—\  Ri  © fi{Ri—\). 

(The  function  fi  can  be  derived  from  fi  if  the  master  key  is  known.)  It  can 
be  verified  that  this  gives  the  correct  value  (Ti_i,  Ri-i)  that  was  the  input  of 
this  round  (i.e.,  it  computes  the  inverse  of  Equation  (5.2)).  Notice  that  fi  is 
evaluated  only  in  the  forward  direction,  as  required. 

We  thus  have: 


PROPOSITION  5.2  Let  F be  a keyed  function  defined  by  a Feistel  net- 
work. Then  regardless  of  the  mangier  functions  {fi}  and  the  number  of 
rounds,  Fk  is  a permutation  for  any  choice  of  k. 

As  in  the  case  of  substitution-permutation  networks,  attacks  on  Feistel  net- 
works are  possible  when  the  number  of  rounds  is  too  low.  We  will  see  such 
attacks  when  we  discuss  DES  in  the  next  section.  Theoretical  results  concern- 
ing the  security  of  Feistel  networks  are  discussed  in  Section  6.6. 
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5.3  DES  — The  Data  Encryption  Standard 

The  Data  Encryption  Standard,  or  DES,  was  developed  in  the  1970s  at 
IBM  (with  help  from  the  National  Security  Agency),  and  adopted  in  1977 
as  a Federal  Information  Processing  Standard  (FIPS)  for  the  US.  In  its  basic 
form,  DES  is  no  longer  considered  secure  due  to  its  short  key  length  of  56  bits. 
Nevertheless,  it  remains  in  wide  use  today  in  its  strengthened  form  of  triple- 
DES  (as  described  in  Section  5.4). 

DES  is  of  great  historical  significance,  and  has  undergone  intensive  scrutiny 
within  the  cryptographic  community,  arguably  more  than  any  other  crypto- 
graphic algorithm  in  history.  The  common  consensus  is  that,  relative  to  its 
key  length,  DES  is  extremely  secure.  Indeed,  even  after  so  many  years,  the 
best  known  attack  on  DES  in  practice  is  a brute-force  search  over  all  2®®  pos- 
sible keys.  As  we  will  see  later,  there  are  important  theoretical  attacks  on 
DES  that  require  less  computation  than  such  a brute  force  attack;  however, 
these  attacks  assume  certain  conditions  that  seem  unlikely  to  hold  in  practice. 

In  this  section,  we  provide  a high-level  overview  of  the  main  components  of 
DES.  We  stress  that  we  will  not  provide  a full  specification  that  is  correct  in 
every  detail,  and  some  parts  of  the  design  will  be  omitted  from  our  description. 
Our  aim  is  to  present  the  basic  ideas  underlying  the  construction  of  DES,  and 
not  all  the  low-level  details;  the  reader  interested  in  such  details  can  consult 
the  references  at  the  end  of  this  chapter. 

5.3.1  The  Design  of  DES 

The  DES  block  cipher  is  a 16-round  Feistel  network  with  a block  length 
of  64  bits  and  a key  length  of  56  bits.  Recall  that  in  a Feistel  network  the 
internal  /-functions  that  are  used  in  each  round  operate  on  half  a block  at 
a time.  Thus,  the  input/output  length  of  a DES  round  function  is  32  bits. 
The  round  functions  used  in  each  of  the  16  rounds  of  DES  are  all  derived 
from  the  same  mangier  function  fi  = /.  The  key  schedule  of  DES  is  used  to 
derive  a 48-bit  sub-key  ki  for  each  round  from  the  56-bit  master  key  k.  As 
discussed  in  the  previous  section,  the  ith  round  function  fi  is  then  defined  as 

fi{R)  = f{ki,R).  As  is  to  be  expected  frorri  the  fact  that  DES  uses  a Feistel 
structure,  the  round  functions  are  non-invertible. 

The  key  schedule  of  DES  is  relatively  simple,  with  each  sub-key  ki  being 
a permuted  subset  of  48  bits  from  the  master  key.  We  will  not  describe  the 
key  schedule  exactly.  It  suffices  for  us  to  note  that  the  56  bits  of  the  master 
key  are  divided  into  two  halves  — a “left  half”  and  a “right  half”  — each 
containing  28  bits  (actually,  this  division  occurs  after  an  initial  permutation 
is  applied  to  the  key,  but  we  ignore  this  in  our  description).  In  each  round, 
the  left-most  24  bits  of  the  sub-key  are  taken  as  some  subset  of  the  28  bits 
in  the  left  half  of  the  master  key,  and  the  right-most  24  bits  of  the  sub-key 
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are  taken  as  some  subset  of  the  28  bits  in  the  right  half  of  the  master  key. 
We  stress  that  the  entire  key  schedule  (including  the  manner  in  which  bits 
are  divided  into  the  left  and  right  halves,  and  which  bits  are  used  in  forming 
sub-key  ki)  is  fixed  and  public,  and  the  only  secret  is  the  master  key  itself. 

The  DES  mangier  function  /.  Recall  that  the  mangier  function  / and 
the  zth  sub-key  ki  jointly  determine  the  zth  round  function  /*.  The  mangier 
function  in  DES  is  constructed  using  a paradigm  we  have  previously  analyzed: 
it  is  (essentially)  just  a 1-round  substitution-permutation  network!  In  more 
detail,  computation  of  f{ki,R)  with  ki  6 {0, 1}^®  and  R e {0, 1}^^  proceeds 
as  follows:  first,  R is  expanded  to  a 48-bit  value  R' . This  is  done  by  sim- 
ply duplicating  half  the  bits  of  R;  we  denote  this  by  R'  :=  E{R)  where  E 
represents  the  expansion  function.  Following  this  step,  computation  proceeds 
exactly  as  in  our  earlier  discussion  of  substitution-permutation  networks:  The 
expanded  value  R'  is  XORed  with  ki , and  the  resulting  value  is  divided  into  8 
blocks,  each  of  which  is  6 bits  long.  Each  block  is  passed  through  a (different) 
S'-box  that  takes  a 6-bit  input  and  yields  a 4-bit  output;  concatenating  the 
output  from  the  8 S'-boxes  gives  a 32-bit  result.  As  the  final  step,  a mixing 
permutation  is  applied  to  the  bits  of  this  result  to  obtain  the  final  output  of 
/.  See  Figure  5.4  for  a diagram  of  the  construction. 

One  difference  here  (as  compared  to  our  original  discussion  of  substitution- 
permutation  networks)  is  that  the  S'-boxes  referred  to  above  are  not  invertible; 
indeed,  they  cannot  possibly  be  invertible  since  their  inputs  are  longer  than 
their  outputs.  Further  discussion  regarding  the  structural  details  of  the  S- 
boxes  is  given  below. 

We  stress  once  again  that  everything  in  the  above  description  (including 
the  S'-boxes  themselves  as  well  as  the  mixing  permutation)  is  publicly-known. 
The  only  secret  is  the  master  key  which  is  lised  to  derive  all  the  sub-keys. 

The  S'-boxes.  The  eight  S'-boxes  that  form  the  “core”  of  / are  a crucial 
element  of  the  DES  construction,  and  were  very  carefully  designed  (reportedly, 
with  the  help  of  the  National  Security  Agency).  Studies  of  DES  have  shown 
that  if  small  changes  to  the  S'-boxes  had  been  introduced,  or  if  the  S-boxes 
had  been  chosen  at  random,  DES  would  have  been  much  more  vulnerable  to 
attack.  This  should  serve  as  a warning  to  anyone  who  wishes  to  design  a block 
cipher:  seemingly  arbitrary  choices  are  not  arbitrary  at  all,  and  if  not  made 
correctly  may  render  the  entire  construction  insecure. 

Recall  that  each  S-box  maps  6-bit  strings  to  4-bit  strings.  Each  S-box  can 
be  viewed  as  a table  with  4 rows  and  16  columns,  where  each  cell  of  the  table 
contains  a 4-bit  entry.  A 6-bit  input  can  be  viewed  as  indexing  one  of  the 
2®  = 64  cells  of  the  table  in  the  following  way:  The  first  and  last  input  bits 
are  used  to  choose  the  table  row,  and  bits  2-5  are  used  to  choose  the  table 
column.  The  4-bit  entry  at  a particular  cell  represents  the  output  value  for 
the  input  associated  with  that  position. 
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FIGURE  5.4:  The  DES  mangier  function. 


Due  to  their  importance,  we  will  describe  some  basic  properties  of  the  DES 
S'-boxes: 

1.  Each  S'-box  is  a 4-to-l  function.  (That  is,  exactly  4 inputs  are  mapped 
to  each  possible  output.)  This  follows  from  the  properties  below. 

2.  Each,  row  in  the  table  contains  each  of  the -16  possible  4-bit  strings 
exactly  once.  (That  is,  each  row  is  a permutation  of  the  16  possible 
4-bit  strings.) 

3.  Changing  one  bit  of  the  input  always  changes  at  least  two  hits  of  the 
output. 

We  will  use  the  above  properties  in  our  analysis  of  reduced-round  DES  below. 

The  DES  avalanche  effect.  As  discussed  earlier,  the  avalanche  effect  is  a 
crucial  property  of  any  secure  block  cipher.  The  third  property  of  the  DES  5- 
boxes  described  above,  along  with  the  mixing  permutation  that  is  used  in  the 
mangier  function,  ensure  that  DES  exhibits  a strong  avalanche  effect.  In  order 
to  see  this,  we  will  trace  the  difference  between  the  intermediate  values  in  a 
DES  computation  of  two  inputs  that  differ  by  just  a single  bit.  Let  us  denote 
the  two  inputs  by  (Lq,  Rq)  and  (Lq,  Rq),  where  we  assume  that  Rq  = Rq  and 
so  the  single-bit  difference  occurs  in  the  left  half  of  the  inputs  (it  may  help  to 
refer  to  Equation  (5.2)  in  what  follows).  After  the  first  round  the  intermediate 
values  (Li,Ri)  and  (Lj,R^)  still  differ  by  only  a single  bit,  though  now  this 
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difference  is  in  the  right  half.  In  the  second  round  of  DES,  the  right  half  of 
each  input  is  run  through  f.  Assuming  that  the  bit  where  R\  and  R[  differ  is 
not  duplicated  in  the  expansion  step,  the  intermediate  values  before  applying 
the  S'-boxes  still  differ  by  only  a single  bit.  By  property  3,  the  intermediate 
values  after  the  S'-box  computation  differ  in  at  least  two  bits.  The  result  is 
that  the  intermediate  values  (L2,i?2)  and  {L'2,  R'2)  differ  in  three  bits:  there  is 
a 1-bit  difference  between  L2  and  L'2  (carried  over  from  the  difference  between 
Ri  and  R'^)  and  a 2-bit  difference  between  R2  and  R'2. 

The  mixing  permutation  spreads  the  two-bit  difference  between  R2  and  R'2 
into  different  regions  of  these  strings.  The  effect  is  that,  in  the  following 
round,  each  of  the  two  different  bits  is  used  as  input  for  a different  S'-box, 
resulting  in  a difference  of  4 bits  in  the  right  halves  of  the  intermediate  values. 
(There  is  also  now  a 2-bit  difference  in  the  left  halves)..  As  with  a substitution- 
permutation  network,  we  have  an  exponential  effect  and  so  after  7 rounds  we 
expect  all  32  bits  in  the  right  half  to  be  affected  (and  after  8 rounds  all  32 
bits  in  the  left  half  will  be  affected  as  well) . 

DES  has  16  rounds,  and  so  the  avalanche  effect  is  completed  very  early  in 
the  computation.  This  ensures  that  the  computation  of  DES  on  similar  inputs 
yields  completely  different  and  independent-looking  Outputs.  We  remark  that 
the  avalanche  effect  in  DES  is  also  due  to  a careful  choice  of  the  mixing 
permutation,  and  in  fact  it  has  been  shown  that  a random  mixing  permutation 
would  yield  a far  weaker  avalanche  effect. 

5.3.2  Attacks  on  Reduced- Round  Variants  of  DES 

A useful  exercise  for  understanding  more  about  the  DES  construction  and 
its  security  is  to  look  at  the  behavior  of  DES  with 'only  a few  rounds.  We 
will  show  attacks  on  one-,  two-,  and  three-round  variants  of  DES  (recall  that 
the  real  DES  has  16  rounds).  Clearly  DES  with  three  rounds  or  fewer  cannot 
be  a pseudorandom  function  because  the  avalanche  effect  is  not  yet  complete 
after  only  three  rounds.  Thus,  we  will  be  interested  in  demonstrating  more 
difficult  (and  more  damaging)  key-recovery  attacks  which  compute  the  key  k 
using  only  a relatively  small  number  of  input/output  pairs  computed  using 
that  key.  Some  of  the  attacks  are  similar  to  those  we  have  seen  in  the  context 
of  substitution-permutation  networks;  here,  however,  we  will  see  how  they  are 
applied  to  a concrete  block  cipher  rather  than  to  an  abstract  design. 

All  the  attacks  below  will  be  known-plaintext  attacks  whereby  the  adver- 
sary has  plaintext/ciphertext  pairs  {{xi,yi)'\  with  yi  = DESk{xi)  for  some 
secret  key  k.  When  we  describe  the  attacks,  we  will  focus  on  a particular 
input/output  pair  (a;,  y)  and  will  describe  the  information  about  the  key  that 
an  adversary  can  derive  from  this  pair.  Continuing  to  use  the  notation  devel- 
oped earlier,  we  denote  the  left  and  right  halves  of  the  input  a;  as  Lq  and  Rq, 
respectively,  and  let  Li,  Ri  denote  the  left  and  right  halves  after  the  zth  round. 
We  continue  to  let  E denote  the  DES  expansion  function,  fi  denote  the  round 
function  applied  in  round  i,  and  ki  denote  the  Sub-key  used  in  roundel 
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Single- round  DES.  In  single-round  DES,  we  have  that  y = where 

Li  = Rq  and  Ri  = Lq  ® /i(-Ro)-  We  therefore  know  an  input /output  pair  for 
/i;  specifically,  we  know  that  fi{Ro)  = -Ri  © Lq  (note  that  all  these  values 
are  known) . By  applying  the  inverse  of  the  mixing  permutation  to  the  output 
Ri  © Lq  , we  obtain  the  intermediate  value  that  contains  the  outputs  from  all 
the  R-boxes,  where  the  first  4 bits  are  the  output  from  the  first  R-box,  the 
next  4 bits  are  the  output  from  the  second  R-box,  and  so  on.  This  means  that 
we  have  the  exact  output  of  each  S-box. 

Consider  the  (known)  4-bit  output  of  the  first  R-box.  Recalling  that  each 
R-box  is  a 4-to-l  function,  this  means  that  there  are  exactly  four  possible 
inputs  to  this  R-box  that  would  result  in  the  given  output,  and  similarly  for 
all  the  other  R-boxes;  each  such  input  is  6 bits  long.  The  input  to  the  R-boxes 
is  simply  the  XOR  of  £'(Ro)  with  the  key  ki  used  in  this  round.  (Actually, 
for  single- round  DES,  k\  is  the  only  key.)  Since  Rq  is  known,  we  conclude 
that  for  each  6- bit  portion  of  ki  there  are  four  possible  values  (and  we  can 
compute  them).  This  means  we  have  reduced  the  number  of  possible  keys 
ki  from  2^8  to  4^8/6  = 4^  = 2^^  (since  there  are  four  possibilities  for  each  of 
the  eight  6-bit  portions  of  ki).  This  is  already  a small  number  and  so  we  can 
just  try  all  the  possibilities  on  a different  input/output  pair  {x',y')  to  find 
the  right  one.  We  thus  obtain  the  full  key  using  only  two  known  plaintexts  in 
time  roughly  2^®. 

Two-round  DES.  In  two- round  DES,  the  output  y is  equal  to  (L2,  R2)  where 

— Rq 

Ri  = Lq  © fi{Ro) 

L2  = Ri  = Lq  © fi  {Ro) 

R2  — Li  ® f 2{Ri) ■ 

Note  that  Lq,  Rq,  L2,  R2  are  known  from  the  given  input/output  pair  (x,y), 
and  thus  we  also  know  Li  = Rq  and  Ri  = L2.  This  means  that  we  know 
the  input/output  of  both  fi  and  /g,  and  so  the  same  method  used  in  the 
attack  on  siiigle-round  DES  can  be  used  here  to  determine  both  ki  and  k2 
in  time  roughly  2 • 2^®.  This  attack  works  even  if  k\  and  k2  are  completely 
independent  keys.  In  fact,  the  key  schedule  of  DES  ensures  that  many  of  the 
bits  of  k\  and  k2  are  equal,  which  can  be  used  to  further  speed  up  the  attack. 

Three-round  DES.  See  Figure  5.5  for  a diagram  of  three-round  DES.  The 
output  value  y is  equal  to  {Lz,Rz).  Since  L\  = Rq  and  R2  = L3,  the  only 
unknown  values  in  the  figure  are  Ri  and  L2  (which  are  equal). 

Now  we  no  longer  have  the  input/output  to  any  round  function  fi.  For 
example,  consider  /2.  In  this  case,  the  output  value  is  equal  to  Li  © R2  where 
both  of  these  values  are  known.  However,  we  do  not  know  the  value  R\  that  is 
input  to  /2-  We  do  know  that  R\  = Lq®  fi{RQ),  and  that  Ri  = R3  © /3(R2), 
but  the  outputs  of  fi  and  /s  are  unknown.  A similar  exercise  shows  that  for 
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FIGURE  5.5:  3-round  DES. 

fi  and  /s  we  can  determine  the  inputs  but  not  the  outputs.  Thus,  the  attack 
we  used  to  break  one-round  and  two-round  DES  will  not  work  here. 

Instead  of  relying  on  full  knowledge  of  the  input  and  output  of  one  of 
the  round  functions,  we  will  use  knowledge  of  a certain  relation  between  the 
inputs  and  outputs  of  fi  and  /s.  Observe  that  the  output  of  fi  is  equal  to 
Lq  © i?i  = I/O  © 7/2.  The  output  of  /s  is  equal  to  L2  © R3.  This  means  that 
the  XGR  of  the  output  of  fi  with  the  output  of  /s  is  equal  to 

{Lq  0 L2)  © {L2  © R3)  = I/O  © R3, 

which  is  known.  That  is,  the  XOR  of  the  outputs  of  fi  and  /s  is  known. 
Furthermore,  the  input  to  fi  is  Rq  and  the  input  to  /s  is  L3,  both  of  which 
are  known.  We  conclude  that  we  can  determine  the  inputs  to  f\  and  /s,  and 
the  XOR  of  their  outputs.  We  how  describe  an  attack  that  finds  the  secret 
key  based  on  this  information. 

Recall  that  the  key  schedule  of  DES  has  the  property  that  the  master  key 
is  divided  into  a “left  half”,  which  we  denote  by  and  a “right  half”  kR, 
each  containing  28  bits.  Furthermore,  the  left-most  bits  of  the  sub-key  used 
in  each  round  are  taken  only  from  and  the  right-most  bits  of  each  sub-key 
are  taken  only  from  kR.  This  means  that  the  left  half  of  the  master  key  affects 
the  inputs  only  to  the  first  four  S'-boxes  in  any  round,  while  the  right  half 
of  the  master  key  affects  the  inputs  only  to  the  last  four  S'-boxes.  Since  the 
mixing  permutation  is  known,  we  also  know  which  bits  of  the  output  of  each 
round  function  come  out  of  each  S'-box. 
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The  idea  behind  the  attack  is  to  separately  traverse  the  key-space  for  each 
half  of  the  master  key,  giving  an  attack  with  complexity  (roughly)  2 • 2^® 
rather  than  complexity  2^®.  Such  an  attack  will  be  possible  if  we  can  verify 
a guess  of  half  the  master  key,  and  we  now  show  how  this  can  be  done.  Let 
kL  be  a guess  for  the  left  half  of  the  master  key.  We  know  the  input  Ro  of 
fi,  and  so  using  our  guess  of  kL  we  can  compute  the  input  to  the  first  four  S- 
boxes.  This  means  that  we  can  compute  half  the  output  bits  of  f\  (the  mixing 
permutation  spreads  out  the  bits  we  know,  but  since  the  mixing  permutation 
is  known  we  know  exactly  which  bits  these  are).  Likewise,  we  can  compute 
the  same  locations  in  the  output  of  /s  by  using  t he  known  input  L3  to  fs  and 
the  same  guess  kL-  Finally,  we  can  compute  the  XOR  of  these  output  values 
and  check  whether  they  match  the  appropriate  bits  in  the  known  value  of  the 
XOR  of  the  outputs  of  f±  and  fs.  If  they  are  not  equal,  then  our  guess  kL  is 
incorrect.  The  correct  half-key  kL  will  always  pass  this  test,  and  an  incorrect 
half-key  is  expected  to  pass  this  test  only  with  probability  roughly  2~^®  (since 
we  check  equality  of  16  bits  in  two  computed  values) . There  are  2^®  possible 
half-keys  to  try  and  so  we  expect  to  be  left  with  2^®/2^®  = 2^^  possibilities 
for  kL  after  the  above. 

By  performing  the  above  for  each  half  of  the  master  key,  we  obtain  in  time 
2-2^®  approximately  2^^  candidates  for  the  left  half  and  2^^  candidates  for  the 
right  half.  Since  each  combination  of  the  left  half  and  right  half  is  possible, 
we  have  2^^  candidate  keys  overalFand  can  run  a brute-force  search  over  this 
set  using  an  additional  input/output  pair  {x',y').  The  time  complexity  of 
the  attack  is  roughly  2 • 2^®  2^^  < 2^°,  and  its  space  complexity  is  2 • 2^^. 

An  attack  of  this  complexity  could  be  carried  out  on  a standard  personal 
computer. 

5.3.3  The  Security  of  DES 

After  almost  30  years  of  intensive  study,  the  best  known  practical  attack 
on  DES  is  still  just  an  exhaustive  search  through  its  key  space.  (We  dis- 
cuss some  important  theoretical  attacks  below.  These  attacks  require  a large 
number  of  input/output  pairs  which  would  be  difficult  to  obtain  in  an  attack 
on  any  real-world  system  using  DES.)  Unfortunately,  the  56-bit  key  length 
of  DES  is  short  enough  that  an  exhaustive  search  through  all  2^®  possible 
keys  is  now  feasible  (though  still  non-trivial) . Already  in  the  late  ’70s  there 
were  strong  objections  to  the  choice  of  such  a short  key  for  DES.  Back  then, 
the  objection  was  theoretical  as  the  computational  power  needed  to  search 
through  that  many  keys  was  generally  unavailable.®  The  practicality  of  a 
brute  force  attack  on  DES  nowadays,  however,  was  demonstrated  in  1997 
when  a number  of  DES  challenges  set  up  by  RSA  Security  were  solved  (these 


®In  1977,  it  was  estimated  that  a computer  that  could  crack  DES  in  one  day  would  cost 
$20  million  to  build. 
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challenges  were  in  the  form  of  input/output  pairs  and  a reward  was  given  to 
the  first  person  or  organization  to  find  the  secret  key  that  was  used).  The 
first  challenge  was  broken  in  1997  by  the  DESCHALL  project  using  thou- 
sands of  computers  coordinated  across  the  Internet;  the  computation  took  96 
days.  A second  challenge  was  broken  the  following  year  in  just  41  days  by 
the  distributed.net  project.  A significant  breakthrough  came  later  in  1998 
when  the  third  challenge  was  solved  in  just  56  hours.  This  impressive  feat 
was  achieved  via  a special-purpose  DES-breaking  machine  called  Deep  Crack 
that  was  built  by  the  Electronic  Frontier  Foundation  at  a cost  of  $250,000. 
The  latest  challenge  was  solved  in  just  over  22  hours  (as  a combined  effort  of 
Deep  Crack  and  distributed.net).  The  bottom  line  is  that  DES  has  a key  that 
is  far  too  short  and  cannot  be  considered  secure  for  any  application  today. 

Less  important  than  the  short  key  length  of  DES,  but  still  a concern,  is  its 
relatively  short  block  length.  The  reason  that  a small  block  length  is  problem- 
atic is  that  the  security  of  many  constructions  based  on  block  ciphers  depends 
on  the  block  length  {even  if  the  cipher  used  is  “perfect”  and  thus  regardless  of 
the  key  length).  For  example,  the  proof  of  security  for  counter  mode  encryp- 
tion (cf.  Theorem  3.29)  shows  that  even  when  a completely  random  function 
is  used  an  attacker  can  break  the  security  of  this  encryption  scheme  with 
probability  0(g^/2”)  if  it  obtains  q plaintext/ciphertext  pairs,  where  n here 
represents  the  block  length.  In  the  case  of  DES  where  n = 64,  this  means 
that  if  an  attacker  obtains  only  q = 2^^  plaintext /ciphertext  pairs,  security  is 
compromised  with  high  probability.  Obtaining  plaintext/ciphertext  pairs  is 
relatively  easy  if  an  adversary  eavesdrops  on  the  encryption  of. messages  con- 
taining known  headers,  redundancies,  etc.  (though  obtaining- 2^^  such  pairs 
may  be  out  of  reach). 

We  stress  that  the  insecurity  of  DES  has  nothing  to  do  with  its  internal 
structure  and  design,  but  ra.ther  is  due  only  to  its  short  key  length  (and,  to  a 
lesser  extent,  its  short  block  length).  This  is  a great  tribute  to  the  designers  of 
DES  who  seem  to  have  succeeded  in  constructing  an  almost  “perfect”  block 
cipher  (with  the  glaring  exception  of  its  too-short  key^).  Since  DES  itself 
seems  not  to  have  significant  structural  weaknesses,  it  makes  sense  to  use 
DES  as  a building  block  in  order  to  construct  a block  cipher  with  a longer 
key.  We  discuss  such  an  approach  in  Section  5.4. 

Looking  ahead  a bit,  we  note  that  the  Advanced  Encryption  Standard 
(AES)  — the  replacement  for  DES  — was  explicitly  designed  to  address  con- 
cerns regarding  the  short  key  length  and  block  length  of  DES.  AES  supports 
keys  of  length  128  bits  (and  more),  and  a block  length  of  128  bits. 


^Actually,  the  designers  of  DES  almost  certainly  recognized  that  the  key  was  too  short;  it 
has  been  suggested  that  the  NS  A requested  that  the  key  be  short  enough  for  them  to  crack. 
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Advanced  Cryptanalytic  Attacks  on  DES 

The  successful  brute-force  attacks  described  above  do  not  utilize  any  inter- 
nal weaknesses  of  DES.  Indeed,  for  many  years  no  such  weaknesses  were  known 
to  exist.  The  first  breakthrough  on  this  front  was  by  Biham  and  Shamir  in 
the  late  ’80s  who  developed  a technique  called  differential  eryptanalysis  and 
used  it  to  design  an  attack  on  DES  using  less  time  than  a brute-force  search. 
Their  specific  attack  takes  time  2^^  (and  uses  negligible  memory)  but  requires 
the  attacker  to  analyze  2^®  ciphertexts  obtained  from  a pool  of  2^^  chosen 
plaintexts.  While  the  existence  of  this  attack  was  a breakthrough  result  from 
a theoretical  standpoint,  it  does  not  appear  to  be  of  much  practical  concern 
since  it  is  hard  to  imagine  any  realistic  scenario  where  an  adversary  can  obtain 
this  many  values  in  a chosen-plaintext  attack. 

Interestingly,  the  work  of  Biham  and  Shamir  indicated  that  the  DES  S- 
boxes  had  been  specifically  designed  to  be  resistant  to  differential  cryptanal- 
ysis (to  some  extent),  suggesting  that  the  technique  of  differential  cryptanal- 
ysis was  known  (but  not  publicly  revealed)  by  the  designers  of  DES.  After 
Biham  and  Shamir  announced  their  result,  the  designers  of  DES  claimed  that 
they  were  indeed  aware  of  differential  cryptanalysis  and  had  designed  DES  to 
thwart  this  type  of  attack  (but  were  asked  by  the  NS  A to  keep  it  quiet  in  the 
interests  of  national  security).  

Following  Biham  and  Shamir’s  breakthrough,  linear  eryptanalysis  was  de- 
veloped by  Matsui  in  the  early  ’90s  and  was  also  applied  successfully  to  DES. 
The  advantage  of  Matsui ’s  attack  is  that  although  it  still  requires  a large 
number  of  outputs  (2^^  to  be  exact),  they  may  be  arbitrary  and  need  not  be 
chosen  by  the  attacker.  (That  is,  it  utilizes  a known-plaintext  attack  rather 
than  a chosen-plaintext  attack.)  Nevertheless,  it  is  still  hard  to  conceive  of 
any  real  scenario  where  it  would  be  possible  to  obtain  such  a large  number  of 
input/output  (or  plaintext/ciphertext)  pairs. 

We  briefly  describe  the  basic  ideas  behind  differential  and  linear  cryptanal- 
ysis in  Section  5.6.  In  conclusion,  however,  we  emphasize  that  although  it  is 
possible  to  break  DES  in  less  time  than  that  required  by  a brute-force  search 
using  sophisticated  cryptanalytic  techniques,  an  exhaustive  key  search  is  still 
the  most  effective  attack  in  practice. 


5.4  Increasing  the  Key  Length  of  a Block  Cipher 

The  only  known  practical  weakness  of  DES  is  its  relatively  short  key.  It 
thus  makes  sense  to  try  to  design  a block  cipher  with  a larger  key  length  using 
“basic”  DES  as  a building  block.  Some  approaches  to  doing  so  are  discussed  in 
this  section.  Although  we  refer  to  DES  throughout  the  discussion,  and  DES 
is  the  most  prominent  instance  where  these  techniques  have  been  applied, 
everything  we  say  here  applies  generically  to  any  block  cipher. 
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Internal  tampering  vs.  black-box  constructions.  There  are  two  general 
approaches  one  could  take  to  constructing  another  cipher  based  on  DES.  The 
first  approach  would  be  to  somehow  modify  the  internal  structure  of  DES, 
while  increasing  the  key  length.  For  example,  one  could  leave  the  mangier 
function  untouched  and  simply  use  a 128-bit  master  key  with  a different  key 
schedule  (still  choosing  a 48-bit  sub-key  in  each  round).  Or,  one  could  change 
the  S'-boxes  themselves  and  use  a larger  sub-key  in  each  round.  The  disadvan- 
tage of  this  approach  is  that  by  modifying  DES  — in  even  the  smallest  way 
— we  lose  the  confidence  we  have  gained  in  DES  by  virtue  of  the  fact  that 
it  has  remained  secure  for  so  many  years.  More  to  the  point,  cryptographic 
constructions  are  very  sensitive  and  thus  even  mild,  seemingly-insignificant 
changes  can  render  the  original  construction  completely  insecure.®  Changing 
the  internals  of  a block  cipher  is  therefore  not  recommended.  (If  it  is  really 
deemed  necessary  to  introduce  changes  in  a block  cipher,  it  is  usually  better 
to  just  develop  a new  cipher  from  scratch.  This,  of  course,  is  all  predicated 
on  the  assumption  that  this  will  be  done  by  experts  — we  do  not  recommend 
ever  designing  a new  cipher  especially  when  modern  block  ciphers  like  AES 
are  available.) 

An  alternative  approach  that  does  not  suffer  from  the  above  problem  is  to 
use  DES  as  a “black  box”.  That  is,  in  this  approach  we  completely  ignore 
the  internal  structure  of  DES  and  treat  it  as  a black  box  that  implements  a 
“p^fect”  block  cipher  with  a 56-bit  key.  Then,  a new  cipher  is  constructed 
that  uses  only  invocations  of  the  original  unmodified  DES.  Since  DES  itself 
is  not  changed  at  all,  this  approach  is  much  more  likely  to  lead  to  a secure 
cipher  (though  it  may  also  lead  to  a less  efficient  one),  and  is  the  approach 
we  will  explore  here. 

Double  Encryption 

Let  E be  a block  cipher.  Then  a new  block  cipher  F'  with  a key  that  is 
twice  the  length  of  the  original  one  can  be  defined  by 

where  k\  and  k2  are  independent  keys.  If  F is  DES  then  the  result  is  a 
block  cipher  F'  taking  a 112-bit  key.  If  exhaustive  key  search  were  the  best 
available  attack  on  F',  a key  length  of  112  bits  would  be  sufficient  since  an 
attack  requiring  time  2^^^  is  completely  out  of  reach.  Unfortunately,  we  now 
show  an  attack  on  F'  that  runs  in  time  roughly  2”  when  the  original  keys 
ki  and  /c2  are  each  of  length  n (and  the  block  length  is  at  least  n) ; this  is 
significantly  less  than  the  2^”  time  one  would  hope  would  be  necessary  to 
carry  out  an  exhaustive  search  for  a 2n-bit  key.  This  means  that  the  new 


®In  fact,  various  results  to  this  effect  have  been  shown  for  DES;  e.g.,  changing  the  5-boxes 
very  slightly  makes  DES  much  more  vulnerable  to  attack. 

3 


Practical  Constructions  of  Pseudorandom  Permutations 


183 


block  cipher  is  essentially  no  better  than  the  old  one,  even  though  it  has  a 

key  that  is  twice  as  long.®  . 

The  attack  is  called  a “meet-in-the-middle  attack”  for  reasons  that  will 
soon  become  clear.  Say  the  adversary  is  given  a single  input/output  pair 
{x,y)  where  y = = Fk2{Fki{x)).  The  adversary  will  narrow  down 

the  set  of  possible  keys  in  the  following  way: 

1.  Set  S'  :=  0. 

2.  For  each  k\  E {0, 1}”,  compute  z :=  F^j^  (a:)  and  store  (z,  ki)  in  a list  L. 

3.  For  each  k2  E {0, 1}”,  compute  z :=  F^^[y)  and  store  (z,  ^2)  in  a list  L' . 

4.  Sort  L and  L' , respectively,  by  their  first  components. 

5.  Say  that  an  entry  (zi,fci)  in  L and  another  entry  [z2,k2)  in  L'  are  a 
match  if  zi  = Z2.  For  each  match  of  this  sort,  add  (fci,  ^2)  to  S. 

The  set  S output  by  this  algorithm  contains  exactly  those  values  (^1,^2) 
for  which  y = This  holds  because  it  outputs  exactly  those  values 

(fci,A:2)  satisfying 

FkA^)  = K\y),  (5-3) 

which  holds  if  and  only  y = ^^(2;).  See  Figure  5.6  for  a graphical 

depiction  of  the  attack. 


^This  is  not  quite  true  since  a brute-force  attack  on  F can  be  carried  out  in  time  2'^  and 
constant  memory,  whereas  the  attack  on  F'  requires  2”  time  and  2^  memory  (and  memory 
is  more  precious  than  time).  Nevertheless,  the  attack  illustrates  that  F'  does  not  achieve  a 
sufficient  level  of  security. 
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If  n is  also  the  block  length  of  F then  a random  pair  (^1,^2)  is  expected 
to  satisfy  Equation  (5.3)  with  probability  roughly  and  so  the  number 

of  elements  in  S will  be  approximately  = 2’^.  Given  another  two 

input/output  pairs  and  trying  all  2”  elements  of  S with  respect  to  these  pairs 
is  expected  to  identify  the  correct  (^1,^2)  with  very  high  probability. 

Complexity.  The  lists  L and  L'  can  be  generated  and  sorted  (using,  e.g., 
counting  sort)  in  time  roughly  2”.  Once  the  lists  are  sorted,  all  matches  can 
be  found  in  time  0{\S\  + \L\  + \L'\)  = (see  Exercise  5.13).  Determining 

the  correct  key  using  an  additional  pair  {x\y')  takes  time  (!7(|5'|)  = 2”.  We 
conclude  that  the  time  complexity  of  the  above  algorithm  is  0(2”). 

Triple  Encryption 

The  obvious  generalization  of  the  preceding  approach  is  to  apply  the  block 
cipher  three  times  in  succession.  Two  variants  of  this  approach  are  common; 

1 . Variant  1 — three  independent  keys:  Choose  3 independent  keys  ki,k2,  ks 

and  define  {Fk^{x))). 

2.  Variant  2 — two  independent  keys:  Choose  2 independent  keys  ki,k2 

anddefineF^,,,^(x)*'Ft.(F^y(F;t.(x))).  , 

Before  comparing  the  security  of  the  two  alternatives  we  note  that  the  middle 
invocation  of  the  original  cipher  is  actually  in  the  reverse  direction.  If  F is 
a sufficiently  good  cipher  this  makes  no  difference  to  the  security,  since  if  F 
is  a strong  pseudorandom  permutation  then  F~^  must  be  too.  The  reason 
for  this  strange  alternation  between  F,  F~^,  and  F is  so  that  if  one  chooses 
ki  = k2  = ks,  the  result  is  a single  invocation  of  F with  ki.  This  ensures 
backward  compatibility  (i.e.,  in  order  to  switch  back  to  a single  invocation  of 
E,  it  suffices  to  just  set  the  keys  to  all  be  equal). 

Security  of  the  first  variant.  The  key  length  of  this  variant  is  3n  (where,  as 
before,  the  key  length  of  the  original  cipher  F is  n)  and  so  we  might  hope  that 
the  best  attack  on  this  cipher  would  require  time  2^”.  However,  the  cipher 
is  susceptible  to  a meet-in-the-middle  attack  just  as  in  the  case  of  double 
encryption,  though  the  attack  now  takes  time  2^”.  This  is  the  best  known 
attack.  Thus,  although  this  variant  is  not  as  secure  as  we  might  have  hoped, 
it  obtains  sufficient  security  for  all  practical  purposes  if  n = 56  (assuming,  of 
course,  that  the  original  block  cipher  F has  no  weaknesses) . 

Security  of  the  second  variant.  The  key  length  of  this  variant  is  2n  and  so 
the  best  we  can  hope  for  is  security  against  attacks  running  in  time  2^”.  There 
is  no  known  attack  with  better  time  complexity  when  the  adversary  is  given 
only  a single  input / output  pair.  However,  there  is  a known  chosen-plaintext 
attack  that  finds  the  key  in  time  2”  using  2”  chosen  input/output  pairs  (see 
Exercise  5.12).  Despite  this,  it  is  still  a reasonable  choice  in  practice. 
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Triple-DES  (3DES).  Triple-DES  is  based  on  a triple  invocation  of  DES 
using  two  or  three  keys,  as  described  above.  It  is  widely  believed  to  be  highly 
secure  and  in  1999  officially  replaced  DES  as  a standard.  Triple-DES  is  still 
widely  used  today  and  is  considered  a very  strong  block  cipher.  Its  only 
drawbacks  are  its  relatively  small  block  length  and  the  fact  that  it  is  quite 
slow  since  it  requires.  3 full  block  cipher  operations.  These  drawbacks  have  led 
to  the  replacement  of  DES/triple-DES  by  the  Advanced  Encryption  Standard 
(AES),  presented  in  the  next  section. 


5.5  AES  — The  Advanced  Encryption  Standard 

In  January  1997,  the  United  States  National  Institute  of  Standards  and 
Technology  (NIST)  announced  that  it  would  hold  a competition  to  select  a 
new  block  cipher  — to  be  called  the  Advaneed  Eneryption  Standard,  or  AES  — 
to  replace  DES.  The  competition  began  with  an  open  call  for  teams  to  submit 
candidate  block  ciphers  for  evaluation.  A total  of  15  different  algorithms  were 
submitted  from  all  over  the  world,  and  these  submissions  included  the  work 
of  many  of  the  best  cryptographers  and  cryptanalysts  today.  Each  team’s 
candidate  cipher  was  intensively  analyzed  by  members  of  NIST,  the  public, 
and  (especially)  the  other  teams.  Two  workshops  were  held,  one  in  1998 
and  one  in  1999,  at  which  cryptanalytic  attacks  of  the  various  Submissibris 
were  shown.  Following  the  second  workshop,  NIST  narrowed  the  field  down 
to  5 “finalists”  and  the  second  round  of  the  competition  began.  A third 
AES  workshop  was  held,  inviting  additional  scrutiny  on  the  five  finalists.  In 
October  2000,  NIST  announced  that  the  winning  algorithm  was  Rijndael  (a 
block  cipher  designed  by  John  Daemon  and  Vincent  Rijmen  from  Belgium), 
though  it  conceded  that  any  of  the  5 finalists  would  have  made  an  excellent 
choice.  In  particular,  no  serious  security  vulnerabilities  were  found  in  any  of 
the  5 finalists,  and  the  selection  of  a “winner”  was  based  in  part  on  properties 
such  as  efficiency,  flexibility,  etc. 

The  process  of  selecting  AES  was  ingenious  because  any  group  who  sub- 
mitted an  algorithm,  and  was  therefore  interested  in  having  their  algorithm 
adopted,  had  strong  motivation  to  find  attacks  in  all  the  other  submissions.^*^ 
In  this  way,  essentially  all  the  world’s  best  cryptanalysts  focused  on  find- 
ing even  the  slightest  weaknesses  in  the  candidate  ciphers  submitted  to  the 
competition.  After  only  a few  years  each  candidate  algorithm  was  already 
subjected  to  intensive  study,  thus  increasing  our  confidence  in  the  security  of 
the  winning  algorithm.  Of  course,  the  longer  the  algorithm  is  used  without 


^®The  motivation  was  not  financial  because  the  winning  submission  could  not  be  patented. 
Nevertheless,  much  honor  and  glory  was  at  stake. 
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being  broken,  the  more  our  confidence  will  grow.  Today,  AES  is  already  very 
widely  used  and  no  significant  security  weaknesses  have  been  discovered. 

The  AES  construction^  In  this  section,  we  will  present  the  high-level 
structure  of  Rijndael/AES.  (Technically  speaking,  Rijndael  and  AES  are  not 
the  same  thing  but  the  differences  are  unimportant,  for  our  discussion  here.) 
As  with  DES,  we  will  not  present  a full  specification  and  our  description 
should  not  be  used  as  a basis  for  implementation.  Our  aim  is  only  to  provide 
a general  idea  of  how  the  algorithm  works. 

The  AES  block  cipher  has  a 128-bit  block  length  and  can  use  128-,  192-,  or 
256-bit  keys.  The  length  of  the  key  affects  the  key  schedule  (i.e.,  the  sub-key 
that  is  used  in  each  round)  as  well  as  the  number  of  rounds,  but  does  not 
affect  the  high-level  structure  of  each  round. 

In  contrast  to  DES  that  uses  a Feistel  structure,  AES  is  essentially  a 
substitution-permutation  network.  During  computation  of  the  AES  algo- 
rithm, a 4-by-4  array  of  bytes  called  the  state  is  modified  in  a series  of  rounds. 
The  state  is  initially  set  equal  to  the  input  to  the  cipher  (note  that  the  input  is 
128  bits  which  is  exactly  16  bytes).  The  following  operations  are  then  applied 
to  the  state  in  a series  of  four  stages  during  each  round: 

1.  Stage  1 — AddRoundKey:  In  every  round  of  AES,  a 128-bit  sub-key 
is  derived  from  the  master  key,  and  is  interpreted  as  a 4-by-4  array  of 
bytes.  The  state  array  is  updated  by  XORing  it  with  this  sub-key. 

2.  Stage  2 — SubBytes:  In  this  step,  each  byte  of  the  state  array  is  re- 
placed by  another  byte  according  to  a single  fixed  lookup  table  S-  This 
substitution  table  (or  S'-box)  is  a bijection  over  {0, 1}^.  We  stress  that 
there  is  only,  one  S'-box  and  it  is  used  for  substituting  all  the  bytes  in 
the  state  array,  in  every  round. 

3.  Stage  3 — ShiftRows:  In  this  step,  the  bytes  in  each  row  of  the  state 
array  are  cyclically  shifted  to  the  left  as  follows:  the  first  row  of  the 
array  is  untouched,  the  second  row  is  shifted  one  place  to  the  left,  the 
third  row  is  shifted  two  places  to  the  left,  and  the  fourth  row  is  shifted 
three  places  to  the  left.  All  shifts  are  cyclic  so  that,  e.g.,  in  the  second 
row  the  first  byte  becomes  the  fourth  byte. 

4.  Stage  4 — MixCpIumns:  In  this  step,  an  invertible  linear  transformation 
is  applied  to  each  column.  One  can  think  of  this  as  matrix  multiplication 
(over  some  appropriate  field). 

By  viewing  stages  3 and  4 together  as  a “mixing”  step,  we  See  that  each  round 
of  AES  has  the  structure  of  a substitution-permutation  network:  the  round 
sub-key  is  first  XORed  with  the  input  to  the  current  round;  next,  a small, 
invertible  function  is  applied  to  “chunks”  of  the  resulting  value;  finally,  the 
bits  of  the  result  are  mixed  in  order  to  obtain  diffusion.  The  only  difference 
is  that,  unlike  our  general  description  of  substitution-permutation  networks. 
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here  the  mixing  step  does  not  consist  of  a simple  permutation  of  the  bits 
but  is  instead  carried  out  using  an  invertible  linear  transformation  of  the  bits. 
(Simplifying  things  a bit  and  looking  at  a trivial  3-bit  example,  a permutation 
of  the  bits  of  a:  = x\\\x2\\xz  might,  e.g.,  map  x to  x'  = X2\\xi\\x3.  An  invertible 
linear  transformation  might  map  x to  X\  ®X2\\x2  © 2:3 ||a:i  ® X2  © 2:3.) 

The  number  of  rounds  in  AES  depends  on  the  length  of  the  key.  There 
are  10  rounds  for  a 128-bit  key,  12  rounds  for  a 192-bit  key,  and  14  rounds 
for  a 256-bit  key.  In  the  final  round  of  AES  the  MixColumns  stage  is  replaced 
with  an  additional  AddRoundKey  step  (this  prevents  an  adversary  from  simply 
inverting  the  last  three  stages,  which  do  not  depend  on  the  key). 

Security  of  AES.  As  we  have  mentioned,  the  AES  cipher  was  subject  to 
intensive  scrutiny  during  the  selection  process  and  this  has  continued  ever 
since.  To  date,  the  only  non-trivial  cryptanalytic  attacks  that  have  been 
found  are  for  reduced-round  variants  of  AES.  It  is  often  hard  to  compare 
cryptanalytic  attacks  because  each  tends  to  perform  better  with  regard  to 
some  parameter;  we  describe  the  complexity  of  one  set  of  attacks  merely  to 
give  a flavor  of  what  is  known.  There  are  known  attacks  on  6-round  AES  for 
128-bit  keys  (using  on  the  order  of  2^^  encryptions),  8-round  AES  for  192-bit 
keys  (using  on  the  order  of  2^^^  encryptions),  and  8-round  AES  for  256-bit 
keys  (using  on  the  order  of  2^°^  encryptions).  We  stress  that  the  above  attacks 
are  for  reduced-round  variants  of  AES,  and  as  of  today  no  attack  better  than 
exhaustive  key  search  is  known  for  the  full  AES  construction.  (Moreover,  even 
the  complexities  of  the  attacks  on  the  reduced-round  variants  are  very  high.) 

We  conclude  that,  as  of  today,  AES  constitutes  an  excellent  choice  for 
almost  any  cryptographic  implementation  that  relies  on  a pseudorandom  per- 
mutation. It  is  free,  standardized,  efficient,  and  highly  secure. 


5.6  Differential  and  Linear  Cryptanalysis  — A Brief  Look 

Typical  block  ciphers  are  relatively  complicated  constructions,  and  as  such 
are  hard  to  analyze  and  cryptanalyze.  Nevertheless,  one  should  not  be  fooled 
into  thinking  that  a complicated  cipher  is  difficult  to  break.  On  the  contrary, 
it  is  very  difficult  to  construct  a secure  block  cipher  and  surprisingly  easy  to 
construct  a trivially  insecure  one  (no  matter  how  complicated  it  looks).  This 
should  serve  as  a warning  that  non-experts  should  not  try  to  construct  new 
ciphers  unless  there  is  a very  good  reason.  Given  the  availability  of  triple-DES 
and  AES,  in  most  applications  it  is  hard  to  justify  using  anything  else. 

In  this  section  we  will  briefly  mention  two  tools  that  are  now  a standard 
part  of  the  cryptanalyst’s  toolbox.  The  existence  of  such  tools  should  also 
serve  to  reinforce  the  above  warning  that  it  is  very  hard  to  construct  good 
block  ciphers. 
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Differential  cryptanalysis.  This  technique  was  first  presented  in  the  late 
’80s  by  Biham  and  Shamir,  who  used  it  to  attack  DES  in  1993.  The  basic 
idea  behind  the  attack  is  to  tabulate  specific  differences  in  the  input  that 
lead  to  specific  differences  in  the  output  with  probability  greater  thhn  would 
be  expected  for  a random  permutation.  Specifically,  say  a block  cipher  has 
block  length  n and  let  A^,  Ay  E {0, 1}”.  We  say  that  the  differential  (A^,,  A^^) 
appears  with  probability  p if  for  random  inputs  X\  and  X2  satisfying  xi  ©X2  = 
Ax  and  random  choice  of  key  k,  the  probability  that  Fk(xi)  © Fk{x2)  = Ay 
is  p.  It  is  clear  that  for  a random  function,  no  differential  should  appear  with 
probability  much  higher  than  2~”.  In  a weak  block  cipher,  however,  there 
may  be  differentials  that  appear  with  significantly  higher  probability. 

One  can  find  a differential  that  occurs  with  high  probability  either  through 
a brute-force  search  (done  once-and-for-all  for  the  block  cipher,  independent 
of  any  particular  key)  or  via  a careful  analysis  of  the  block  cipher  itself.  If 
a differential  exists  with  probability  p ^ then  the  block  cipher  already 
no  longer  qualifies  as  a pseudorandom  permutation.  The  point  of  differential 
cryptanalysis  is  to  use  many  differentials,  that  may  each  be  only  slightly  larger 
than  2"”,  to  recover  the  secret  key  (and  thus  break  the  cipher  entirely)  using 
a chosen-plaintext  attack.  We  will  not  discuss  the  details  here,  though  we 
mention  that  applying  the  block  cipher  to  random  pairs  of  inputs  that  have 
the  given  differential  enables  a cryptanalyst  to  isolate  portions  of  the  secret 
key  and  verify  guesses  for  those  portions.  As  we  discussed  regarding  the  attack 
on  a 2-round  substitution-permutation  network,  the  ability  to  isolate  parts  of 
a key  enables  an  attacker  to  obtain  the  key  in  time  less  than  a brute  force 
search.  Note,  however,  that  the  fact  that  chosen  plaintexts  are  required  makes 
the  attack  of  somewhat  limited  practicality. 

Although  differential  cryptanalysis  does  not  appear  to  lead  to  any  practical 
attacks  on  DES  and  AES  (since  the  number  of  chosen  plaintexts  required  to 
carry  out  the  attack  is  huge) , differential  cryptanalysis  has  been  used  success- 
fully to  attack  other  block  ciphers.  One  important  example  is  FEAL-8,  which 
was  completely  broken  using  differential  cryptanalysis. 

Linear  cryptanalysis.  Linear  cryptanalysis  was  developed  by  Matsui  in 
the  early  ’90s.  This  method  considers  linear  relationships  between  the  input 
and  output.  Say  that  bit  positions  i\, ...  fig,  and  i\, . . have,  bias  p if,  for 
randomly-chosen  input  x and  key  k,  it  holds  that  . 

Prfyi,  © • • • © © • • • © = 0]  = p, 

where  y = F^{x)  and  Xi.,pi  represent  the  bits  of  x and  y.  For  a truly  random 
function,  we  expect  the  bias  to  be  close  to  0.5.  Matsui  showed  how  to  use 
a large  enough  bias  in  a given  cipher  F to  completely  break  the  cipher  by 
finding  the  secret  key.  An  important  feature  of  this  attack  is  that  it  does  not 
require  chosen  plaintexts,  and  known  plaintexts  are  sufficient.  Even  so,  if  a 
very  large  number  of  plaintext/ciphertext  pairs  are  needed  the  attack  becomes 
impractical  in  most  settings. 
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Additional  Reading  and  References 

The  confusion-diffusion  paradigm  and  substitution-permutation  networks 
were  introduced  by  Shannon  [127]  and  Feistel  [53].  See  the  thesis  of  Keys  [78] 
for  further  information  regarding  the  design  of  substitution-permutation  net- 
works. Feistel  networks  were  first  described  in  [53].  A theoretical  analysis  of 
them  was  given  by  Luby  and  Rackoff  [97],  and  will  be  discussed  in  Chapter  6. 

The  DES  standard  can  be  found  at  [109],  and  a more  reader- friendly  de- 
scription can  be  found  in  the  textbook  by  Kaufman  et  al.  [87].  Details  of 
the  competition  leading  to  the  selection  pf  Rijndael  as  the  AES  can  be  found 
at  http ; //csrc  .nist  .gov/CryptoToolkit/aes/index  .html.  A comprehen- 
sive description  of  AES  can  be  found  in  [87]  as  well  as  the  book  written  by 
its  designers,  Daemen  and  Rijmen  [41].  Cid  et  al.  show  an  approach  that 
may  lead  to  cryptanalytic  attacks  on  AES  [33].  There  are  a large  number  of 
other  good  (and  less  good)  block  ciphers  in  the  literature.  For  a broad  but 
somewhat  outdated  overview  of  other  ciphers,  see  [99,  Chapter  7]. 

The  meet-in-the-middle  attack,  on  double  encryption  is  due  to  Diffie  and 
Heilman  [48] . The  attack  on  two-key  triple  encryption  mentioned  in  the  text 
(and  explored  in  Exercise  5.12)  is  by  Merkle  and  Heilman  [103].  Theoretical 
analysis  of  the  security  of  double  and  triple  encryption  can  be^ found  in  [3,  17]. 

DESX  is  another  technique  for  increasing  the  effective  key  length  of  DES, 
without  using  additional  invocations  of  DES.  The  secret  key  consists  of  the 
values  ki^ko  € {0, 1}®'^  and  k E {0,1}^®,  and  the  cipher  is  defined  by 

DESXki,k,ko{x)  = ko  ® DESk{x  B ki). 

This  methodology  was  first  studied  by  Even  and  Mansour  [52].  Its  concrete 
application  to  DES  waS  proposed  by  Rivest,-  and  its  security  was  later  analyzed 
by  Kilian  and  Rogaway  [88]. 

Differential  cryptanalysis  was  introduced  by  Biham  and  Shamir  [18]  and  its 
application  to  DES  is  described  in  [19J.  Coppersmith  [34]  describes  the  DES 
design  in  light  of  the  public  discovery  of  differential  cryptanalysis.  Linear 
cryptanalysis  was  discovered  by  Matsui  [98].  Langford’s  thesis  [93]  contains 
further  improvements  of  differential  and  linear  cryptanalysis,  and  also  surveys 
known  attacks  on  DES  (and  reduced-round  variants)  as  of  1995.  For  more 
information  on  these  advanced  Cryptanalytic  techniques,  we  refer  the  reader 
to  the  excellent  tutorial  on  differential  and  linear  cryptanalysis  by  Heys  [77]. 
A more  concise  presentation  can  be  found  in  the  textbook  by  Stinson  [138]. 


Exercises 

5.1  Say  a block  cipher  F has  the  property  that,  given  oracle  access  to  Fk 
for  randomly-chosen  key  k,  it  is  possible  to  determine  k using  only  100 
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queries  to  the  oracle  (and  minimal  computation  time).  Show  formally 
that  F cannot  be  a pseudorandom  permutation. 

5.2  In  our  attack  on  a two-round  substitution-permutation  network,  we  con- 
sidered a block  length  of  64  bits  and  a network  with  16  S'-boxes  that  each 
take  a 4-bit  input.  Repeat  the  analysis  for  the  case  of  8 S'-boxes,  each 
taking  an  8-bit  input.  What  is  the  complexity  of  the  attack  now?  Re- 
peat the  analysis  again  with  a 128-bit  block  length  and  16  S-boxes  that 
each  take  an  8-bit  input.  Does  the  block  length  make  any  difference? 

5.3  Our  attack  on  a three-round  substitution-permutation  network  does  not 
recover  the  key  but  only  shows  how  to  distinguish  the  cipher  from  a 
random  permutation.  Thus  it  is  not  a “complete  break” . Despite  this, 
show  that  using  a three-round  substitution-permutation  network  in  the 
counter-mode  encryption  scheme  (see  Section  3.6.4)  can  have  disastrous 
effects  on  the  security  of  encryption. 

5.4  Consider  a modified  substitution-permutation  network  where  instead 

of  carrying  out  the  key-mixing,  substitution,  and  permutation  steps  in 
alternating  order  for  r rounds,  the  cipher  instead  first  applies  r rounds  of 
key-mixing,  then  carries  out  r rounds  of  substitution,  and  finally  applies 
r permutations.  Analyze  the  security  of  this  construction.  . 

5.5  What  is  the  output  of  an  r-round  Feistel  network  when  the  input  is 
(Lo,  Rq)  in  each  of  the  following  two  cases: 

(a)  Each  round  function  outputs  all  Os,  regardless  of  the  input. 

(b)  Each  round  function  is  the  identity  function. 

5.6  Show  that  DES  has  the  property  that  DESk{x)  = DES-^{x)  for  every 
key  k and  input  x (where  z denotes  the  bitwise  complement  of  z).  This 
is  called  the  eomplementarity  property  of  DES.  (The  description  of  DES 
given  in  this  chapter  is  sufficient  for  this  exercise.) 

5.7  Use  the  previous  exercise  to  show  how  it  is  possible  to  find  the  secret 
key  in  DES  (with  probability  1)  in  time  2^.^. 

Hint:  Use  a chosen- plaintext  attack  with  two  carefully  chosen  plaintexts. 

5.8  In  the  actual  construction  of  DES,  the  two  halves  of  the  output  of  the 
final  round  of  the  Feistel  network  are  swapped.  That  is,  if  the  output 
of  the  final  round  is  {Lie,  R\e)  then  the  output  of  the  cipher  is  in  fact 
{Rie,Lie).  Show  that  the  only  difference  between  the  computation  of 
DESk  and  DES^^  (given  the  swapping  of  halves)  is  the  order  of  sub- 
keys. 
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5.9  (This  exercise  assumes  the  results  of  the  previous  exercise.) 

(a)  Show  that  for  k = 0®®  it  holds  that  DESk{DESk{x))  — x.  Why 
does  the  use  of  such  a key  pose  a security  threat? 

(b)  Find  three  other  DES  keys  with  the  same  property.  These  keys  are 
known  as  weak  keys  for  DES. 

(c)  Does  the  existence  of  these  4 weak  keys  represent  a serious  vulner- 
ability in  DES?  Explain  your  answer. 

5.10  Describe  attacks  on  the  following  modifications  to  DES: 

(a)  Each  round  sub-key  is  32  bits  long,  and  the  mangier  function  sim-. 
ply  XORs  the  round  sub-key  with  the  input  to  the  round  (i.e., 
f{k,R)  = h © PC).  For  this  example,  the  key  schedule  is  unimpor- 
tant and  you  can  treat  the  ki  as  independent  keys. 

(b)  Instead  of  using  different  sub-keys  in  every  round,  the  same  48-bit 
sub-key  is  used  in  every  round.  Show  how  to  distinguish  the  cipher 
from  a random  permutation  without  a 2^^-time  brute-force  search. 

Hint:  Exercises  5.8  and  5.9  may  help. . . 

5.11  Show  an  improvement  to  the  attack  on  three-round  DES  that  recovers 
the  key  using  two  input/output  pairs  but  runs  in  time  2-2^^-f-2-2^^. 

5.12  This  question  illustrates  an  attack  on  two-key  triple  encryption.  Let 
E be  a block  cipher  with  n-bit  block  length  and  key  length,  and  set 

= 

(a)  Assume  that  given  a pair  (rui,  m2)  it  is  possible  to  find  in  constant 
time  all  keys  k2  such  that  m2  = Ej^^(mi).  Show  how  to  recover 
the  entire  key  for  F'  (with  high  probability)  in  time  roughly  2” 
using  three  known  input/output  pairs. 

(b)  In  general,  it  will  not  be  possible. to  find  /c2  as  above  in  constant 
time.  However,  show  that  by  using  a pre-processing  step  taking  2” 
time  it  is  possible,  given  m2 , to  find  in  (essentially)  constant  time 
all  keys  k2  such  that  m2  = E^^(0”). 

(c)  Assume  k\  is  known  and  that  the  pre-processing  step  above  has 
already  been  run.  Show  how  to  use  a single  pair  {x,  y)  for  a chosen 
input  value  x to  determine  k2  in  constant  time. 

(d)  Put  the  above  components  together  to  devise  an  attack  that  re- 
covers the  entire  key  by  running  in  roughly  2”  time  and  requesting 
the  encryption  of  roughly  2”  chosen  inputs. 

5.13  Show  how  all  matches  can  be  found  in  the  meet-in-the-middle  attack 
on  double  encryption  in  time  linear  in  the  number  of  matches  and  the 
lengths  of  the  two  sorted  lists. 
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5.14  Say  the  key  schedule  of  DES  is  modified  as  follows:  the  left  half  of  the 
master  key  is  used  to  derive  all  the  sub-keys  in  rounds  1-8,  while  the 
right  half  of  the  master  key  is  used  to  derive  all  the  sub-keys  in  rounds 
9-16.  Show  an  attack  on  this  modified  scheme  that  recovers  the  entire 
key  in  time  roughly  2^®. 

5.15  Consider  using  DES  as  a fixed-length  collision-resistant  hash  function 

in  the  following  way:  Define  h : {0,1}^^^  {0,1}®^  as  h{xi\\x2) 

DESxi_{DESx2{^^^))  where  |a:i|  = \x2\  = 56. , 

(a)  Write  down  an  explicit  collision  in  h. 

Hint:  Use  Exercise  5.9. 

(b)  Show  how  to  find  a pre-image  of  a given  value  y (that  is,  x\,X2 
such  that  h{xi\\x2)  — y)  in  roughly  2^®  time. 

(c)  Show  a more  clever  pre-image  attack  that  runs  in  roughly  2^^  time 
and  succeeds  with  high  probability. 

Hint:  Rely  on  the  results  of  Appendix  A. 4. 


Chapter  6 

* Theoretical  Constructions  of 
Pseudorandom  Objects 


In  Chapter  3 we  introduced  the  notion  of  pseudorandomness,  and  defined  the 
basic  cryptographic,  primitives  of  pseudorandom  generators,  functions,  and 
permutations.  We  showed  in  Chapters  3 and  4 that  these  primitives  serve  as 
the  basic  building  blocks  for  all  of  private-key  cryptography.  As  such,  it  is  of 
great  importance  to  understand  these  primitives  from  a theoretical  point  of 
view.  In  this  chapter  we  formally  introduce  the  concept  of  one-way  functions 

— functions  that  are,  informally  speaking,  easy  to  compute  but  hard  to  invert 

— and  show  how  pseudorandom  generators  and  pseudorandom  permutations 
can  be  constructed  under  the  sole  assumption  that  one-way  functions  exist. ^ 
Moreover,  we  will  see  that  one-way  functions  are  a necessary  assumption  for 
essentially  any  non-trivial  cryptographic  task  in  the  private-key  setting.  Tying 
everything  together,  this  means  that  the  existence  of  one-way  functions  is 
equivalent  to  the  existence  of  all  (non-trivial)  private-key  cryptography.  This 
result  constitutes  one  of  the  major  contributions  of  modern  cryptography. 

The  constructions  of,  say,  pseudorandom  permutations  based  on  One-way 
functions  that  we  show  in  this  chapter  should  be  viewed  as  complementary  to 
the  constructions  of  block  ciphers  given  in  the  previous  chapter.  The  focus  of 
the  previous  chapter  was  on  how  pseudorandom  permutations  are  currently 
realized  in  practice,  and  the  intent  of  that  chapter  was  to  introduce  some  basic 
approaches  and  design  principles  that  are  used  in  their  construction.  Some- 
what disappointing,  however,  was  the  fact  that  none  of  the  constructions  we 
showed  could  be  proven  secure  based  on  any  weaker  (i.e.,  more  reasonable) 
assumptions.  In  contrast,  in  the  present  chapter  we  will  prove  that  it  is  pos- 
sible to  construct  pseudorandom  permutations  starting  from  the  very  mild 
assumption  that  one-way  functions  exist.  This  assumption  is  more  reasonable 
than  assuming,  say,  that  DES  is  a pseudorandom  permutation  since  we  have 
a number  of  candidate  one-way  functions  that  have  been  studied  for  many 
years,  even  before  the  advent  of  cryptography.  (See  the  very  beginning  of 
Chapter  5 for  further  discussion  of  this  point.)  The  downside,  though,  is  that 
the  constructions  we  show  here  are  all  far  less  efficient  than  those  of  Chapter  5, 
and  thus  are  not  actually  used:  It  remains  an  important  challenge  for  cryp- 


^ Actually,  this  is  not  quite  true  since  we  are  for  the  most  part  going  to  rely  on  one-way 
permutations  in  this  chapter.  Nevertheless,  it  is  known  that  one-way  functions  suffice. 
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tographers  to  “bridge  this  gap”  and  develop  provably-secure  constructions 
of  pseudorandom  generators,  functions  and  permutations  whose  efficiency  is 
comparable  to  the  best  available  stream  and  block  ciphers. 

A note  regarding  this  chapter.  The  material  in  this  chapter  is  somewhat 
more  advanced  than  the  other  material  in  this  book.  As  indicated  by  the 
fact  that  the  chapter  is  “starred”,  the  material  presented  here  is  not  used 
in  the  remainder  of  the  book  and  so  this  chapter  can  be  skipped  if  desired. 
Having  said  this,  we  have  tried  to  present  the  material  in  such  a way  that  it 
is  understandable  (with  effort)  to  an  advanced  undergraduate  or  beginning 
graduate  student.  We  highly  encourage  everyone  to  read  Sections  6.1  and  6.2 
which  introduce  one-way  functions  and  provide  an  overview  of  the  construc- 
tions described  in  the  rest  of  this  chapter.  We  believe  that  familiarity  with 
at  least  some  of  the  topics  covered  here  is  important  enough  to  warrant  the 
effort  involved. 


6.1  One-Way  Functions 

In  this  section  we  formally  define  one-way  functions,  and  then  briefly  dis- 
cuss some  candidates  that  are  widely  believed  to  satisfy  this  definition.  (We 
will  see  many  more  examples  of  conjectured  one-way  functions  in  Chapters  7 
and  11.)  We  conclude  this  section  by  introducing  the  notion  of  hard-core  pred- 
icates] these  can  be  viewed  (in  some  sense)  as  “encapsulating”  the  hardness  of 
inverting  a one-way  function,  and  will  be  used  extensively  in  the  constructions 
that  follow  in  subsequent  sections. 

6.1.1  Definitions 

A one-way  function  / has  the  property  that  it  is  easy  to  compute,  but  hard 
to  invert.  The  first  condition  is  easy  to  formalize:  we  will  simply  require 
that  / be  computable  in  polynomial  time.  As  for  the  second  condition,  since 
we  are  ultimately  interested  in  building  cryptographic  schemes  that  are  hard 
for  a probabilistic  polynomial-time  adversary  to  break  except  with  negligible 
probability,  we  will  formalize  the  hardness  of  inverting  / by  requiring  that  it  be 
infeasible  for  any  probabilistic  polynomial-time  algorithm  to  invert  / — that 
is,  to  find  a pre-image  of  a given  value  y — except  with  negligible  probability. 
(It  is  always  possible  to  find  a pre-image  with  negligible  probability  just  by 
guessing.  Likewise,  it  is  always  possible  to  find  a pre-image  in  exponential 
time  by  performing  a brute- force  search  over  the  domain  of  /.)  An  important 
technical  point  is  that  this  probability  is  taken  over  an  experiment  in  which 
y is  generated  by  choosing  an  element  x of  the  domain  at  random  and  then 
setting  y :=  f{x)  (rather  than  choosing  y at  random  from  the  range).  This 
will  become  clear  from  the  formal  definition  that  follows. 
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Let  / : {0,1}*  {0, 1}*  be  a function.  Consider  the  following  experiment 

defined  for  any  algorithm  A and  any  value  n for  the  security  parameter: 

The  inverting  experiment  lnvert^,/(n) 

1.  Choose  input  x <—  {0, 1}”'.  Compute  y :=  f{x). 

2.  A is  given  and  y as  input,  and  outputs  x' . 

3.  The  output  of  the  experiment  is  defined  to  be  1 if  f{x')  = y, 
and  0 otherwise. 

We  stress  that  A need  not  find  a:  itself;  it  suffices  for  A to  find  any  value  x'  for 
which  f{x')  = y = f{x).  We  give  the  security  parameter  to  A in  the  second 
step  for  technical  reasons:  we  want  to  allow  A to  run  in  time  polynomial  in 
the  security  parameter  n,  irrespective  of  the  length  of  y. 

We  can  now  define  what  it  means  for  a function  / to  be  one  way. 

DEFINITION  6.1  A function  f : {0,1}*  — > {0,1}*  is  one-way  if  the 
following  two  conditions  hold: 

1.  (Easy  to  compute:)  T/iere  exists  a polynomial-time  algorithm  Mf  com- 
puting f ; that  is,  Mf{x)  = f{x)  for  all  x. 

2.  (Hard  to  invert:)  For  every  probabilistic  polynomial- time  algorithm  A, 

there  exists  a negligible  function  negl  such  that  • - 

Pr[lnvert^,/(n)  = 1]  < negl(n). 

Notation:  In  this  chapter  we  will  often  make  the  probability  space  (rhofe) 
explicit  by  subscripting  it  in  the  probability.  Using  this  notation,  for  example, 
we  can  very  succinctly  express  the  second  requirement  in  the  definition  above 
as  follows:  For  every  probabilistic  polynomial-time  algorithm  A,  there  exists 
a negligible  function  negl  such  that 

^ ^ negl(n). 

Successful  inversion  of  one-way  functions.  A function  that  is  not  one- 
way is  not  necessarily  easy  to  invert  all  the  time  (or  even  “often”).  Rather, 
the  converse  of  the  second  condition  of  Definition  6.1  is  that  there  exists  a 
probabilistic  polynomial-time  algorithm  A and  a non-negligible  function  e 
such  that  A inverts  f{x)  with  probability  at  least  e(n)  (where  the  probability 
is  taken  over  random  choice  of  a;  •«—  {0, 1}”')-  This  means,  in  turn,  that  there 
exists  a positive  polynomial  q{-)  such  that  for  infinitely  many  values  of  n,  the 
algorithm  A inverts  / with  probability  at  least  l/q{n).  Thus,  if  there  exists 
an  A that  inverts  / with  probability  for  all  even  values  of  n (but  always 
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fails  to  invert  / when  n is  odd),  then  / is  not  one-way.  This  holds  even  though 
A only  succeeds  on  half  the  values  of  n,  and  even  though  A only  succeeds  with 
probability  (for  values  of  n where  it  succeeds  at  all). 

Exponential-time  inversion.  Any  one-way  function  can  be  inverted  given 
enough  time.  Specifically,  given  a value  y and  the  security  parameter  1”,  it  is 
always  possible  to  simply  try  all  values  x G {0, 1}”  until  a value  x is  found  such 
that  f{x)  — y.  This  algorithm  runs  in  exponential  time  and  always  succeeds. 
Thus,  the  existence  of  one-way  functions  is  inherently  an  assumption  about 
computational  complexity  and  computational  hardness.  That  is,  it  considers 
a problem  that  can  be  solved  in  principle  but  is  assumed  to  be  hard  to  solve 
efficiently. 

One-way  permutations.  We  will  often  be  interested  in  one-way  functions 
with  additional  structural  properties.  We  say  a function  is  length-preserving 
if  I /(a:)  I = \x\  for  all  x.  A one-way  function  that  is  length-preserving  and 
one-to-one  is  called  a one-way  permutation.  Formally: 

DEFINITION  6.2  Let  f : {0,1}*  — ^ {0,1}*  be  length-preserving,  and  let 
fn  be  the  restrietion  of  f to  the  domain  {0,1}”'  {i.e.,  fn  is  only  defined  for 
X G {0,1}”,  in  whieh  ease  fn{x)  = f{x))-  A one-way  funetion  f is  ealled  a 
one-way  permutation  if  for  every  n,  the  funetion  fn  is  a bijeetion. 

An  interesting  property  of  one-way  permutations  is  that  any  value  y uniquely 
determines  its  pre-image  x — f~^{y)-  Even  though  y fully  determines  x,  it  is 
still  hard  to  find  x in  polynomial  time. 

Families  of  one-way  functions  and  p er mutations i,  The  above  defini- 
tions of  one-way  functions  and  permutations  are  very  convenient  in  that  they 
consider  a single  function  over  an  infinite  domain  and  range.  However,  most 
candidate  one-way  functions  and  permutations  that  we  know  of  do  not  fit 
naturally  into  this  framework.  Rather,  there  is  typically  an  algorithm  that 
generates  some  parameters  I which  define  some  function  //;  the  requirement 
is  essentially  that  //  should  be  one-way  with  all  but  negligible  probability  over 
choice  of  I.  Because  each  value  of  / defines  a different  function,  we  now  refer 
to  families  of  one-way  functions  (resp.,  permutations).  We  give  the  definition 
now,  and  refer  the  reader  to  the  next  section  for  a concrete  example  (see  also 
Section  7.4.1). 

DEFINITION  6.3  A tuple  H = (Gen,  Samp,  /)  of  probabilistie  polynomial- 
time algorithms  is  a family  of  functions  if  the  following  hold: 

1.  The  parameter- generation  algorithm  Gen,  on  input  1”,  outputs  parameters 
I with  |/|  >n.  Eaeh  value  of  I output  by  Gen  defines  setsDj  and'R.i  that 
eonstitute  the  domain  and  range,  respectively,  of  a funetion  fj  defined 
below. 
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2.  The  sampling  algorithm  Samp^  on  input  I , outputs  a uniformly  distributed 
element  ofV>i  {except  possibly  with  probability  negligible  in  |/|). 

3.  The  deterministic  evaluation  algorithm  f , on  input  I andx  G T>i,  outputs 

an  element  y G TZi-  We  write  this  as  y fi{x).  . 

n is  a family  of  permutations  if  for  each  value  of  I output  by  Gen(l”)j  it  holds 
that  T>i  = IZj  and  the  function  //  : T>i  T>i  is  a bijection. 

Let  n be  a family  of  functions.  What  follows  is  the  obvious  analogue  of  the 
experiment  introduced  previously. 

The  inverting  experiment  lnvert^,n(n): 

1.  Gen(l”)  is  run  to  obtain  I,  and  then  Samp(/)  is  run  to  obtain 
a random  x ^ T>i.  Finally,  y fi{x)  is  computed. 

2.  A is  given  I and  y as  input,  and  outputs  x' . 

3.  The  output  of  the  experiment  is  defined  to  be  1 if  fi{x')  = y, 
and  0 otherwise. 

A function  family  is  one-way  if  success  in  the  above  experiment  occurs  with 
negligible  probability. 

DEFINITION  6.4  A function/permutation  family  II  = (Gen,  Samp,  /) 
is  one-way  if  for  all  probabilistic  polynomial-time  algorithms  A there  exists  a 
negligible  function  negl  such  that 

Pr[lnvert^ji(n)  = 1]  < negl(n). 

Throughout  this  chapter  we  work  with  one-way  functions  and  permutations 
as  per  Definitions  6.1  and  6.2,  rather  than  working  with  families  of  one-way 
functions.  This  is  primarily  for  convenience,  and  does  not  significantly  affect 
any  of  the  results.  See  also  Exercise  6.6. 

6,1.2  Candidate  One-Way  Functions 

One-way  functions  are  of  interest  only  if  they  exist.  Since  we  do  iiot  know 
how  to  prove  that  they  exist  unconditionally  (because  this  would  imply  a 
major  breakthrough  in  complexity  theory),  we  conjecture  or  assume  their 
existence.  This  conjecture  (or  assumption)  is  based  on  some  very  natural 
computational  problems  that  have  received  much  attention,  and  have  yet  to 
yield  polynomial-time  algorithms.  Perhaps  the  most  famous  of  these  problems 
is  that  of  integer  factorization,  i.e.,  finding  the  prime  factors  of  a large  integer. 
This  leads  us  to  define  the  function  fmv\t{x,y)  — x ■ y.  (Formally,  on  input 
a string  of  length  n,  we  let  x be  the  first  \n/2\  bits  and  y be  the  last  [n/2] 
bits;  the  output  is  xy.)  Note,  however,  that  if  we  do  not  place  any  restriction 
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on  the  lengths  of  x and  y,  then  /mult  is  easy  to  invert:  with  high  probability 
X - y will  be  even  in  which  case  the  factors  (2,xy/2)  can  be  returned  as  an 
inverse.  There  are  two  ways  to  modify  /mult  to  address  this  problem.  The 
more  direct  way  to  do  this  is  to  simply  include  the  lengths  of  x and  y (when 
viewed  as  integers,  ignoring  leading  Os)  as  part  of  the  output;  i.e.,  to  define 

/mult(^5?/)  {p^y  1 ll^ll  ) ll?/||)‘ 

Alternatively,  as  described  above,  we  can  require  that  x and  y are  always  both 
of  length  exactly  n/2.  A second  approach  is,  in  essence,  to  restrict  the  domain 
of  /mult  to  equal-length  primes  x and  y.  We  return  to  this  idea  in  Chapter  7. 

Another  candidate  one-way  function,  not  relying  directly  on  number  theory, 
is  based  on  the  subset-sum  problem  and  is  defined  by 

/ (Xl  5 - • • 5 — (3^1 ) • • • 5 ^ ^ ; 

Jej 

where  each  Xi  is  an  n-bit  string  interpreted  as  an  integer,  and  J is  an  n-bit 
string  interpreted  as  a subset  of  {1, . . . , n}.  Given  an  output  (xi, . . . , x„,  y) 
of  this  function,  the  task  of  inverting  it  is  exactly  that  of  finding  a subset 
J'  Q such  that  YljeJ' ~ Students  who  have  studied  AfV- 

completeness  may  be  familiar  with  the  fact  that  this  problem  is  A/"'P-complete. 
We  stress  that  this  does  not  mean  that  V 7^  AfV  implies  the  existence  of  one- 
way functions:  V 7^  AfV  would  mean  that  the  subset-sum  problem  cannot 
be  solved  in  the  worst- case  in  polynomial-time,  while  a one-way  function 
is  required  to  be  hard  to  invert  almost  always.  Thus,  our  belief  that  the 
function  above  is  one-way  is  based  on  the  lack  of  known  algorithms  to  solve 
this  problem,  and  not  merely  on  the  fact  that  the  general  problem  is  JSfV- 
complete. 

We  conclude  by  showing  a family  of  permutations  that  is  believed  to  be  one- 
way. Let  Gen  be  a probabilistic  polynomial-time  algorithm  that,  on  input  1", 
outputs  an  n-bit  prime  p along  with  a special  element  g G {2, . . . ,p  — 1}!  (We 
will  see  in  Chapter  7 that  such  algorithms  exist.  We  leave  undefined  for  now 
what  we  mean  when  we  say  that  g is  “special”.)  Let  Samp  be  an  algorithm 
that  given  p and  g outputs  a random  integer  x in  the  range  {l,...,p  — 1}. 
Finally,  define 

f P,9  (x)  ^ g"^  mod  p 

for  X G {1, . . . ,p  — 1}.  The  fact  that  fp^g  can  be  computed  efficiently  follows 
from  the  results  in  Appendix  B.2.3.  It  can  be  shown  that  this  function  is 
one-to-one,  and  thus  a permutation.  The  presumed  difficulty  of  inverting 
this  function  is  based  on  the  conjectured  hardness  of  the  discrete  logarithm 
problem]  we  will  have  much  more  to  say  about  this  in  Chapter  7. 

6.1.3  Hard-Core  Predicates 

By  definition,  a one-way  function  is  hard  to  invert.  Stated  differently,  given 
a value  y = /(x),  the  value  of  x cannot  be  determined  in  its  entirety  by  any 
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polynomial-time  algorithm.  This  may  give  the  impression  that  nothing  about 
X can  be  determined  in  polynomial  time  from  f{x).  However,  this  is  not  the 
case.  Indeed,  it  is  possible  that  f{x)  “leaks”  a lot  of  information  about  x,  and 
yet  / is  still  hard  to  invert.  For  a trivial  example,  let  / be  a one-way  function 
and  define  g{xi,X2)  — (xi,/(x2)),  where  |xi|  = |x2|.  It  is  easy  to  show  that  g 
is  also  a one-way  function  (this  is  left  as  an  exercise),  even  though  it  reveals 
half  its  input. 

For  our  applications,  we  will  need  to  find  some  information  about  x that  is 
hidden  by  f{x).  This  motivates  the  notion  of  a hard-core  predicate.  Loosely 
speaking,  a hard-core  predicate  he  : {0,1}*  ^ {0,1}  of  a function  / has 
the  following  property:  given  /(x),  it  is  infeasible  for  any  polynomial-time 
algorithm  to  correctly  determine  hc(x)  with  probability  significantly  better 
than  1/2.  (It  is  always  possible  to  compute  hc(x)  correctly  with  probability 
exactly  1/2  by  random  guessing.) 


DEFINITION  6.5  A function  he  : {0, 1}*  — ^ {0, 1}  is  a hard-core  predicate 
of  a function  / if{l)  he  can  be  computed  in  polynomial  time,  and  (2)  for  every 
probabilistic  polynomial-time  algorithm  A there  exists  a negligible  function  negl 
such  that 

fn  X ^ ^ + negl(n), 

where  the  probability  is  taken  over  the  uniform  choice  of  x in  {0, 1}”  and  the 
random  coin  tosses  of  A.  ' ' 

We  stress  that  hc(x)  is  efficiently  computable  given  x (since  the  function 
he  can  be  computed  in  polynomial  time)-  the  definition  requires  that -hc(x)  is 
hard  to  compute  given  /(x).  Tlie’*above  definition  does  not  require  / to  be 
one-way,  though  we  will  only  be  interested  in  hard-core  predicates  when  that 
is  the  case. 

Simple  ideas  don’t  work.  Consider  for  a moment  the  candidate  hard-core 
predicate  defined  as  hc(x)  = where  xi, . . . ,x„  denote  the  bits  of  x. 

The  intuition  behind  why  this  function  “should”  be  a hard-core  predicate  is 
that  if  / cannot  be  inverted,  then  /(x)  must  hide  at  least  one  of  the  bits  x* 
of  its  pre-image.  Then,  the  exclusive-or  of  all  of  the  bits  of  x must  be  hard 
to  compute  (since  Xi  alone  is  already  hard  to  compute).  Despite  its  appeal, 
this  argument  is  incorrect.  Specifically,  given  a one-way  function  /,  define 
the  function  g{x)  = (/(x),  hard  to  show  that  g is  one-way. 

However,  it  is  clear  that  ^(x)  does  not  hide  the  value  of  hc(x)  = Xi 

because  this  is  part  of  its  output;  therefore,  hc(x)  is  not  always  a hard-core 
predicate.  (By  extending  this  argument,  it  can  be  shown  that  for  any  given 
predicate  he,  there  exists  a one-way  function  / for  which  he  is  not  a hard-core 
predicate  of  /.) 
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Trivial  hard-core  predicates.  Some  functions  have  “trivial”  hard-core 
predicates.  For  example,  let  / be  the  function  that  simply  drops  the  last 
bit  of  its  input  (i.e.,  = Xi---Xn~i)).  It  is  immediate  that  it 

is  hard  to  predict  given  f{x)  = Xi  • ■ ■ Xn~i  since  Xn  is  independent  of 
the  output.  However,  / is  not  one-way.  When  we  use  hard-core  predicates  to 
construct  pseudorandom  generators,  it  will  become  clear  why  trivial  hard-core 
predicates  of  this  sort  are  of  no  use  for  cryptography. 

In  contrast,  a one-to-one  function  / that  has  a hard-core  predicate  must 
be  one-way  (see  Exercise  6.10).  Intuitively,  this  is  the  case  because  when  a 
function  is  one-to-one,  the  value  f{x)  fully  determines  x in  an  information- 
theoretic  sense.  Thus,  inability  to  compute  hc(a;)  from  f{x)  must  be  due  to 
some  computational  limitation  in  determining  x from  f{x). 


6.2  Overview:  Prom  One-Way  Functions  to  Pseudoran- 
dom Permutations 

The  goal  of  this  chapter  is  to  show  how  to  construct  pseudorandom  genera- 
tors, functions,  and  permutations  based  on  any  one-way  permutation.  In  this 
section,  we  give  an  overview  of  these  constructions.  Details  are  given  in  the 
sections  that  follow. 

A hard-core  predicate  for  any  one-way  function.  The  first  step  is  to 
show  that  a hard-core  predicate  exists  for  any  one-way  function.  Actually, 
it  remains  open  whether  such  a statement  is  true;  we  will  show  something 
slightly  weaker  that  suffices  for  our  purposes.  Namely,  we  will  show  that 
given  any  one-way  function  / we  can  construct  a different  one-way  function 
g along  with  a hard-core  predicate  for  g.  That  is: 

THEOREM  6.6  Let  f be  a one-way  function.  Then  there  exists  (con- 
structively) a one-way  function  g along  with  a hard-core  predicate  gl  for  g. 
Furthermore,  if  f is  a permutation  then  so  is  g. 

(The  hard-core  predicate  is.  denoted  gl  after  Goldreich  and  Levin  who  proved 

def 

Theorem  6.6.)  Functions  g and  gl  are  constructed  as  follows:  set  g{x,r)  = 
{f{x),r),  for  |x|  = |r|,  and  define 

n 

gl(a:,r)  - n, 

i=l 

where  x = x\  ■ ■ • Xn  (and  similarly  for  r).  Notice  that  the  function  gl(a:,  •) 
outputs  the  exclusive-or  of  a random  subset  of  the  bits  of  x.  This  is  due  to 
the  fact  that  r can  be  viewed  as  selecting  a random  subset  of  {1, . . . , n}  (i.e., 
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when  ri  — 1 the  bit  is  included  in  the  XOR,  and  otherwise  it  is  not),  and 
r is  uniformly  distributed.  Thus,  Theorem  6.6  essentially  states  that  if  / is 
an  arbitrary  one-way  function,  then  f{x)  hides  the  exclusive-or  of  a random 
subset  of  the  bits  of  x. 

Pseudorandom  generators  from  one-way  permutations.  The  next  step 
is  to  show  how  the  hard-core  predicate  of  a one-way  permutation  can  be  used 
to  construct  a pseudorandom  generator.  (It  is  known  that  one-way  functions 
suffice  for  constructing  pseudorandom  generators,  but  the  proof  is  extremely 
complicated  and  well  beyond  the  scope  of  this  book.)  Specifically,  we  show 
the  following: 

THEOREM  6.7  Let  f be  a one-way  permutation  and  let  he  be  a hard- 
core predicate  of  f.  Then,  G{s)  = {f{s),  hc(s))  constitutes  a pseudorandom 
generator  with  expansion  factor  i{n)  — n-\-  1. 

As  intuition  for  why  G as  defined  in  the  theorem  constitutes  a pseudoran- 
dom generator,  note  first  that  the  initial  n bits  of  the  output  of  G{s)  (i.e., 
the  bits  of  /(s))  are  truly  random  when  s is  chosen  uniformly  at  random,  by 
virtue  of  the  fact  that  / is  a permutation.  Next,  the  fact  that  he  is  a hard- 
core predicate  means  that  he(s)  “looks  random”  — i.e.,  is  pseudorandom  — 
even  given  /(s)  (assuming  again  that  s is  chosen  at  random).  Putting  these 
observations  together  we  see  that  the  entire  output  of  G is  pseudorandom. 

Pseudorandom  generators  with  arbitrary  expaiision.  The  existence  of 
a pseudorandom  generator  that  stretches  its  seed  by  even  a single  bit  (as  we 
have  just  seen)  is  already  highly  non-trivial.  But  for  applications  (e.g.,  for 
efficient  encryption  of  large  messages  as  in  Section  3.4),  we  need  a pseudoran- 
dom generator  with  much  larger  expansion  factor  .-Fortunately,  we  can  obtain 
an  expansion  factor  that  is  essentially  as  long  as  we  like: 

THEOREM  6.8  A ssume  that  there  exists  a pseudorandom  generator  with 

expansion  factor  i{n)  — n -\-  1.  Then  for  any  polynomial  p{-),  there  exists  a 
pseudorandom  generator  with  expansion  factor  i{n)  = p{n). 

We  conclude  that  pseudorandom  generators  with  (essentially)  arbitrary  ex- 
pansion factor  can  be  constructed  from  any  one-way  permutation. 

Pseudorandom  functions  and  permutations  from  pseudorandom  gen- 
erators. Pseudorandom  generators  suffice  for  obtaining  private-key  encryp- 
tion schemes  with  indistinguishable  encryptions  in  the  presence  of  an  eaves- 
dropper. For  achieving  CPA-secure  private-key  encryption  (not  to  mention 
message  authentication  codes),  however,  we  relied  on  pseudorandom  func- 
tions. The  following  result  shows  that  the  latter  can  be  constructed  from  the 
former: 
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THEOREM  6.9  Assume  that  there  exists  a pseudorandom  generator  with 
expansion  factor  i{n)  — 2n.  Then  there  exist  pseudorandom  functions. 

In  fact,  we  can  do  even  more; 

THEOREM  6.10  A ssume  'that  there  exist  pseudorandom  functions.  Then 
there  exist  strong  pseudorandom  permutations. 

Combining  all  the  above  theorems,  as  well  as  the  results  of  Chaptefs  3 
and  4,  we  have  the  following  corollaries: 

COROLLARY  6.11  Assuming  the  existence  of  one-way  permutations, 
there  exist  pseudorandom  generators  with  any  polynomial  expansion  factor, 
pseudorandom  functions,  and  strong  pseudorandom  permutations. 

COROLLARY  6.12  Assuming  the  existence  of  one-way  permutations, 
there  exist  CCA-secure  private-key  encryption  schemes,  and  message  authen- 
tication codes  that  are  existentially  unforgeable  under  an  adaptive  chosen  mes- 
sage attack. 

As  noted  earlier,  it  is  actually  possible  to  obtain  all  these  results  based 
solely  on  the  existence  of  one-way  functions. 


6.3  A Hard-Core  Predicate  for  Any  One-Way  Function 

In  this  section,  we  prove  Theorem  6.6  by  showing  the  following; 


THEOREM  6.13  Let  f be  a one-way  function  and  define  g by  g(x,r) 

(f{x),r),  where  |a:|  = |r|.  Define  g\{x,r)  ‘ ^*7  where  x = x\  ■ ■ ■ Xn 

and  r — r\  rn-  Then  gl  is  a hard-core  predicate  of  the  function  g. 

We  now  proceed  to  prove  Theorem  6.13.  Due  to  the  complexity  of  the 
proof,  we  prove  three  successively  stronger  results  culminating  with  what  is 
claimed  in  the  theorem. 

6.3.1  A Simple  Case 

We  first  show  that  if  there  exists  a polynomial-time  adversary  A that  al- 
ways correctly  computes  gl(x,r)  given  g{x,r)  = {f{x),r),  then  it  is  possible 


* Theoretical  Constructions  of  Pseudorandom  Objects 


203 


to  invert  / in  polynomial  time.  Given  the  assumption  that  / is  a one-way 
function,  it  follows  that  no  such  adversary  A exists. 

PROPOSITION  6.14  Let  f and  gl  be  as  in  Theorem  6.13.  If  there  exists 
a probabilistic  polynomial-time  algorithm  A such  that 

Pr  \A{f{x),r)=g\{x,r)]=l 

x,r* — {0,1}"^  L 

for  infinitely -many  values  of  n,  then  there  exists  a probabilistic  polynomial- 
time algorithm  A'  such  that 

.-fo";!}"  /“‘(/(^))]  = 1 

for  infinitely-many  values  of  n. 

PROOF  Let  A be  as  in  the  proposition.  We  construct  A'  as  follows.  On 
input  y with  \y\  = n,  adversary  A'  computes  Xi  :=  e^)  for  i — 1, . . . , n, 

where  denotes  the  n-bit  string  with  1 in  the  ith  position  and  0 everywhere 
else.  Then  A'  outputs  x = Xi  ■ ■ ■ Xn.  Clearly  A'  runs  in  polynomial  time. 

To  analyze  the  success  of  A'  in  inverting  /,  fix  an  n for  which 

Pr  , \^{f{x),r)  = g\{x,r)]  = 1 (6.1) 

x,ri— {0,1}"  L 

and  consider  the  execution  of  A'{y).  Denote  y = f{x).  Then,  the  value  Xi 
computed  by  A'  satisfies 

n 

Xi  = A{f{x),  e")  = ^Xj  • e)  = Xi, 

j=i 

using  the  definition  of  gl(ai,  r)  for  the  second  equality,  and  the  fact  that  e*-  = 0 
for  all  j 7^  i for  the  third  equality.  Thus,  Xi  = Xi  for  all  i and  so  A'  outputs 
the  correct  inverse  x = x with  probability  1.  I 

By  the  assumption  that  / is  one-way,  it  is  impossible  for  any  probabilistic 
polynomial-time  algorithm  to  invert  / with  non-negligible  probability.  Thus, 
we  conclude  that  there  is  no  probabilistic  polynomial-time  algorithm  that 
always  correctly  computes  gl(a:,r)  from  {f{x),r)  for  infinitely-many  values 
of  n.  This  is  a rather  weak  result  that  is  very  far  from  our  ultimate  goal 
of  showing  that  gl(x,  r)  cannot  be  determined  with  probability  significantly 
better  than  1/2. 

6.3.2  A More  Involved  Case 

We  now  show  that  it  is  hard  for  any  polynomial-time  algorithm  A to  com- 
pute gl(a:,  r)  with  probability  significantly  better  than  3/4.  Assuming  such 
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an  A exists,  we  will  once  again  show  that  this  implies  the  existence  of  a 
polynomial-time  A'  that  inverts  / with  non-negligible  probability.  Notice 
that  the  strategy  in  the  proof  of  Proposition  6.14  fails  completely  here  be- 
cause it  may  be  that  A never  succeeds  when  r = e*  (though  it  may  succeed, 
say,  on  all  other  values  of  r).  Furthermore,  in  the  present  case  A'  does  not 
know  if  a particular  bit  output  by  .4,  as  a guess  for  gl(x,  r)  is  correct  or  not  — 
the  only  thing  A'  knows  is  that  with  probability  non-negligibly  greater  than 
3/4,  adversary  A is  correct.  These  issues  further  complicate  the  proof. 


PROPOSITION  6.15  Let  f and  gl  be  as  in  Theorem  6.13.  If  there  exists 
a probabilistic  polynomial- time  algorithm  A and  a polynomial  p{-)  such  that 


Pr 

a;,r— {0,1}' 


^if(x),r)  = gl(x,r) 


> - ^ 

~ 4 ^ p{n) 


for  infinitely-many  values  of  n,  then  there  exists  a probabilistic  polynomial- 
time algorithm  A'  such  that 


Pr 


M'(/(x))  e /-‘(/(X))]  > 


for  infinitely-many  values  of  n. 


PROOF  The  main  observation  underlying  the  proof  of  this  proposition  is 
that  for  every  r E {0,1}*^,  the  values- gl(x,  r 0 e*)  and  gl(x,  r)  together  can 
be  used  to  derive  the  zth  bit  of  x.  (Recall  that  e*  denotes  the  n-bit  string 
with  Os  everywhere  except  the  zth  position.)  This  follows  from  the  following 
calculation: 


gl(x,  r)  0 gl(x,  r 0 e*) 


® = Xi  • r*  0 (xi  • [vi  0 1))  = Xi , 


where  the  second  equality  is  due  to  the  fact  that  for  all  j ^ i,  the  value  Xj  ■ rj 
appears  in  both  sums  and  so  is  canceled  out. 

The  above  illustrates  that  if  A answers  correctly  on  both  (/(x),r)  and 
(/(x),r0e*),  then  A!  can  correctly  compute  x^.  Unfortunately,  A'  does  not 
know  when  A answers  correctly  and  when  it  does  not;  it  only  knows  that 
A answers  correctly  with  “high”  probability.  For  this  reason.  A'  will  use 
multiple  random  values  of  r,  using  each  one  to  obtain  a guess  for  Xi,  and  will 
then  take  the  majority  value  as  its  final  guess  of  x^.  As  a preliminary  step, 
we  therefore  show  that  for  many  x’s,  the  probability  that  A answers  correctly 
for  both  (/(x),  r)  and  (/(x),  r 0 e*),  when  r is  chosen  uniformly  at  random, 
is  sufficiently  high.  This  is  proved  in  the  following  claims.  These  claims  will 
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allow  us  to  fbc  a:  and  then  focus  solely  on  the  uniform  choice  of  r,  which  makes 
the  analysis  easier. 


CLAIM  6.16  Let  n be  such  that 


Pr 


A{f{x),r)  = g\{x,r) 


4 p{n) 


Then  there  exists  a set  Sn  C {0, 1}”  of  size  at  least  2p(n)  ' such  that  for 
every  x E Sn  it  holds  that 


(6.2) 


PROOF  Set  €{n)  = l/p(n)  and  for  any  x E {0, 1}”,  let 

s{x)  Pr  [A{f{x),r)  = gl(a:,r)]. 

r<— {0,1}"^ 


Let  Sn  be  the  set  of  all  a;’s  for  which  s{x)  > 3/4  + e{n)/2  (i.e.,  for  which 
Equation  (6.2)  holds).  If  Sn  = {0, 1}”  we  are  done.  Otherwise,  we  show  that 
|5'n|  > • 2^^  using  a simple  averaging  argument.  We  have: 

Pv[A{f{x),r)=g\{x,r)]  

x,r 

= Pr[^(/(a:),  r)  = gl(a:,  r)  | a:  E • Pr[ar  E 5n] 

,x,r  X 

-F  Pr[^(/(a;),  r)  = gl(a:,  r)  | a:  ^ S'n]  • Pr[a:  ^ Sn] 

x,r  X 

< Pr[a:  E S'n]  + Pr[^(/(ar),  r)  = gl(a:,  r)  ) x <f 

^ x,r 

where  subscripted  variables  (i.e.,  x and/or  r)  indicate  those  being  chosen  at 
random  from  {0, 1}”,  while  non-subscripted  variables  are  fixed.  Therefore: 

Pr[a:  E S'n]  > 

X 

PT[A{f{x),r)  = g|(a:,r)]  - Pr[^(/(a:), r)  =gl(a:,r)  \ x ^ Sn]- 

x,r 

By  definition  of  S'n,  for  every  x ^ S'n,  P^[^{f{x),r)  = gl(a:,r)]  < 3/4  + e(n)/2. 
That  is,  Prx,r[-A{f{x),  r)  = gl(a:,r)  | x ^ Sn]  < 3/4  + e{n)j2,  and  so 


Pr[a;  E S'n]  > 

X 


3 

4 


+ e(n) 


g(^) 

2 


This  implies  that  Sn  must  be  of  size  at  least  • 2'^  (because  x is  uniformly 
distributed  in  {0,  1}”),  completing  the  proof  of  the  claim.  | 
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The  following,  which  is  the  result  we  need,  now  follows  as  an  easy  corollary. 

CLAIM  6.17  Let  n be  such  that 

Pr  , \^{f{x).r)  = g\{x,r)]  >^  + . 

L 'i  4 p{n) 

Then  there  exists  a set  Sn  ^ {0, 1}”'  of  size  at  least  • 2”'  such  that  for 

every  x E Sn  and  every  i it  holds  that 

r)  = gl(a;,  r)  A A{f{x),  r © e")  = gl(a:,  r © e")]  > ^ + • 

PROOF  Let  e(n)  = l/p(n),  and  take  Sn  to  be  the  set  guaranteed  by  the 
previous  claim.  We  know  that  for  any  x E Sn  we  have 

Pr  [A{f{x),  r)  7^  gi{x,  r)]  < ^ - e{n)/2  . 
r<— {0,1}"  4 

Fix  any  i E {1, . . . , n}.  If  r is  uniformly  distributed  then  so  is  r © e*;  this 
means  that 

Pr  [A{f{x),  r © e^)  7^  gl(a;,  r © e^)]  < 7 — s{n)j2  . 
r<— {0,1}"  , 4 

We  are  interested  in  lower-bounding  the  probability  that  A outputs  the 
correct  answer  for  both  gl(a:,  r)  and  gl(a:,  r©e*);  equivalently,  we  want  to  upper- 
bound  the  probability  that  A fails  to  output  the  correct  answer  in  either  of 
these  cases.  Note  that  r and  r ©e*  are  not  independent,  and  so  we  cannot  just 
multiply  the  probabilities  of  failure.  However,  we  cS  apply  the  union  bound 
(see  Proposition  A. 7 in  Appendix  A)  and  just  sum  the  probabilities  of  failure. 
That  is,  the  probability  that  A is  incorrect  on  either  gl(a:,  r)  or  gl(a:,  r © e^)  is 
at  most 


and  so  A is  correct  on  both  g\{x,r)  and  g\{x,r  © e*)  with  probability  at  least 
1/2  + £{n).  This  proves  the  claim.  | 

For  the  rest  of  the  proof  we  set  e{n)  = l/p{n)  and  consider  only  those 
values  of  n for  which  A succeeds  with  probability  at  least  3/4  + e{n).  The 
claim  above  states  that  for  an  e{n) /2  fraction  of  inputs  x,  the  adversary  A 
answers  correctly  on  both  (f{x),r)  and  {f{x),  r © e’')  with  probability  at  least 
1/2  + e{n)  over  random  choice  of  r,  and  from  now  on  we  will  focus  only  on 
such  values  of  x.  We  construct  a probabilistic  polynomial-time  algorithm  A' 
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that  inverts  f{x)  with  probability  at  least  1/2  when  x E Sn-  This  suffices  to 
prove  the  proposition  since  then 

Pr[A\f{x))Ef-\f{x))] 

X 

> Pr[^'(/(a:))  e f~'^{f{x))  | a:  G 5n]  • Pr[x  G Sn] 

X X 

>1.^  = 

2 2p(n)  4p(n) 

Algorithm  A!  ^ given  as  input  an  element  y,  works  as  follows; 

1 . For  z = 1 , . . . , n do; 

(a)  Choose  a random  r •«—  {0, 1}”^  and  compute  a “guess”  that  the 
value  Xi  A{y,r)  0 A{y,r  0 e^)  is  the  zth  bit  of  the  pre-image 
of  y. 

(b)  Repeat  the  above  sufficiently-many  times  (see  further  below),  and 
let  Xi  be  the  majority  of  the  guesses. 

2.  Output  X = Xi  ■ ■ ■ Xn- 

We  sketch  an  analysis  of  the  probability  that  A'  correctly  inverts  its  given 
input  y.  (We  allow  ourselves  to  be  a bit  laconic,  since  a full  proof  for  the  most 
difficult  case  is  given  in  the  following  section.)  Fix  n to  be  (one  of  the  infinitely 
many  values)  such  that  Pra:,r^{o,i}”  [-^(/(a:),  r)  = gl(a:,  r)]  > | + and 

assume  that  ^'’s  input  y = f{x)  is  such  that  x E Sn  (recall  that  the  latter 
occurs  with  probability  at  least  e(n)/2).  Fix  some  i.  The  previous  claim 
implies  that  the  guess  Xi  is  equal  to  gl(;r,  e*)  with  probability  at  least  | +e(n). 
By  repeating  sufficiently-many  times  and  letting  xv  be  the  niajority,GA'  caii 
ensure  that  Xi  is  equal  to  gl(;r,  e^)  with  probability  at  least  1—  We  need  to 
ensure  that  this  can  be  done  by  taking  the  majority  of  only  polynomially-many 
guesses;  since  e{n)  — l/p{n)  for  some  polynomial  p,  this  is  indeed  the  case 
as  can  be  shown  using,  a Chemoff  hound  (a  standard  bound  from  probability 
theory),  along  with  the  fact  that  an  independent  value  of  r is  chosen  in  each 
iteration.  We  leave  a full  proof  using  the  Chernoff  bound  as  an  exercise. 

Summarizing  where  things  stand,  we  have  that  for  each  i the  value  Xi 
computed  by  A'  is  incorrect  with  probability  at  most  A union  bound 
thus  shows  that  A'  is  incorrect  for  some  i with  probability  at  most  n - ^ | . 

That  is,  Af  is  correct  for  all  i — and  thus  correctly  inverts  y — with  probability 
at  least  This  completes  the  proof  of  the  proposition.  | 

A corollary  of  Proposition  6.15  is  that  if  / is  a one-way  function,  then 
the  probability  of  correctly  guessing  gl(a:,  r)  when  given  {f{x),r)  is  at  most 
negligibly  greater  than  3/4.  Thus,  the  bit  gl(a;,  r)  has  considerable  uncertainty 
(when  considering  polynomial-time  observers). 
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6.3.3  The  Full  Proof 

This  section  is  more  advanced  than  the  rest  of  the  book,  and  relies  on 
more  involved  concepts  from  probability  theory.  We  include  the  full  proof  for 
completeness,  and  for  more  advanced  students  and  courses. 

Preliminaries  — Probabilistic  Sampling 

We  use  some  standard  results  from  probability  theory  that  are  reviewed 
quickly  here.  A 0/1-random  variable  Xi  is  one  that  takes  a value  in  {0, 1}. 
The  0/ 1-random  variables  Xi, . . . ,Xm  are  pairwise  independent  if  for  every 
i ^ j and  every  hi,hj  e {0, 1}  it  holds  that 

Pr[Xi  =bi  A Xj  = bj]  - Pr[Xi  - bi]  ■ Pr[Xj  ^ bj]. 

We  rely  on  the  following  proposition: 


PROPOSITION  6.18  Let  {W}  be  pairwise-independent,  Q j 1-random 
variables  with  the  following  property:  there  exist  values  b E {0, 1}  and  e > 0 
such  that  for  all  1 < i < n, 

Pr[Xi  = 6]  = i -h  e. 

Consider  the  process  in  which  m values  X\, . . . , Xm  are  recorded  and  X is  set 
to  the  value  that  occurs  a majority  of  the  time.  Then 


Pt[X  ^b]< 


1 

4 • • m 


This  proposition  is  standard.  The  reader  willing  to  accept  the  above  on  faith 
can  proceed  directly  to  the  following  section;  for  completeness,  we  provide  a 
self-contained  proof  of  the  proposition  here. 

Let  Exp[X]  denote  the  expectation  of  a random  variable  X.  We  have: 


Markov’s  Inequality:  Let  X be  a non-negative  random  variable  and  u > 0. 
Then: 


Pr[X  > u]  < Exp[X]/u. 


PROOF  We  have 

Exp[X]  = Pt[X  = x\-x 

x>0 

> Pr[X  — x]  • 0 -|-  Pr[A'  = x]  • v 

0<x<u  x>v 

= Pr[X  >v]-v. 
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Markov’s  inequality  is  useful  when  very  little  information  about  X is  known. 
When  an  upper-bound  on  the  variance  of  X is  known,  however,  better  bounds 

exist.  We  will  use  the  following  basic  facts  from  probability:  Var[X] 
Exp[(X-Exp[X])2],  Var[X]  = ExpfX^]  - Exp[X]2,  and  Var[oX-t- 6]  = o^VarfX]. 

Chebyshev’s  Inequality:  Let  X be  a random  variable  and  S > 0.  Then: 

Pr[|X  - Exp|X]|  > i]  < 


PROOF  Define  the  non- negative  random  variable  Y {X  — Exp[X])^  and 
then  apply  Markov’s  inequality.  That  is, 

Pr[|X  - Exp[X]|  > J]  < Pr[(X  - Exp[X])2  > 

< Exp[(X  - Exp[X])^] 

Var[X] 

“ (52  ■ 


If  Xi, . . . , Xm  are  pairwise-independent  then  Xi]  — Var[Xi] 

(this  is  due  to  the  fact  that  Exp[X*  • Xj]  — Exp[Xi]  • Exp[Xj]  when  i ^ j,  using 
pairwise  independence).  An  important  corollary  of  Chebyshev’s  inequality 
follows. 


COROLLARY  6.19  Let  Xi, . . . , Xm  be  pairwise- independent  random  vari- 
ables with  the  same  expectation  ix  and  the  same  variance  . For  every  £.  > 0, 


Pr 


r Xi 

T 

> £ 

m 

< 


a 


£^m 


PROOF  By  linearity  of  expectations,  Exp[^^^  Xifm\  — /x.  Applying 
Chebyshev’s  inequality  to  the  random  variable  Xijm,  we  have 


Pr 


e: 


m 


> e 


< 


Var 


Using  pairwise  independence,  it  follows  that 


Var 


1 

m2 


E Varl^i] 

i=l 


1 

m2 


The  inequality  is  obtained  by  combining  the  above  two  equations. 
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We  now  prove  Proposition  6.18.  Take  6 = 1 in  the  proposition  (by  symme- 
try, this  choice  is  irrelevant);  this  means  Exp[Xi]  — ^ + e.  Let  X denote  the 
majority  value  of  the  {Xi}  as  in  the  proposition,  and  note  that  X ^ 1 only  if 
YllLi  < ^/2-  So 


Pt[X  7^  1]  < Pr 


m 

Xi  < ml2 

-i=l 


= Pr 
= Pr 
< Pr 


m 

m 


EZ,  Xi 


m 


<-.j 

>el. 


For  a 0/1-random  variable  Xi,  we  have  = Var[Xi]  <1/4  (this  is  because  in 
such  a case  Exp[Xi]  = Exp[X?]  and  so  Var[Xi]  = Exp[Xi](l  — Exp[Xi])  which  is 
maximized  when  Exp[Xi]  — Applying  the  previous  corollary,  we  conclude 


that 


Pr[A  ^ 1]  < 


1 

Ae'^m  ’ 


as  claimed. 


Proof  of  Theorem  6.13 

We  assume  familiarity  with  the  simplified  proofs  in  the  previous  sections, 
and  rely  on  the  ideas  developed  there.  We  prove  the  following  proposition, 
which  implies  Theorem  6.13; 


PROPOSITION  6.20  Let  f and  gl  be  as  in  Theorem  6.13.  If  there  exists 
a probabilistic  polynomial- time  algorithm  A and  a polynomial  p{-)  such  that 


Pr 


A{f{x),r)  = gl(x,r) 


> 


1 1 
2 p(n) 


for  infinitely-many  values  of  n,  then  there  exists  a probabilistic  polynomial- 
time adversary  A'  and  a polynomial  p' {■)  such  that 

Pr  [.4'(/W)  € r*(/(x))]  > 

x*~{o,i}^  p'{n) 

for  infinitely-many  values  of  n. 


PROOF  As  in  the  proof  of  Proposition  6.15,  we  set  e{n)  — 1 /pin)  and  con- 
sider only  those  values  of  n for  which  A succeeds  with  probability  1/2-1-  e{n). 
The  following  is  analogous  to  Claim  6.16  and  is  proved  in  the  same  way. 
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CLAIM  6.21  Let  n be  such  that 

Pr  U(/ (x),  r)  = gl(x,  r)l  > i + e{n). 
x,r<—{0,l}”-  L J 2 

Then  there  exists  a set  Sn  T.  {0,  l}’^  of  size  at  least  -2”  such  that  for  every 
X G Sn  it  holds  that 

s{x)  Pr  [A{f{x),r)  = gl(a:,r)]  > ^ + (6.3) 

r<— {0,1}"^  2 2 

If  we  try  to  proceed  exactly  as  in  the  proof  of  Proposition  6.15,  we  will  run 
into  trouble  because  an  analogue  of  Claim  6.17  will  not  hold  here.  Specifically, 
the  best  we  can  claim  here  is  that  when  a:  G Sn  it  holds  that 

Pr  [A{f{x),r)  = g\{x,r)  A A{f{x),r®  e^)  = gl(x,r  © e^)]  > 

p{n) 

for  any  i . This  means  that  if  we  try  to  construct  an  algorithm  A'  that  guesses 
Xi  by  computing  A{f{x),r)®A{f{x),r®e'^),  then  all  we  can  claim  is  that  this 
guess  will  be  correct  with  probability  at  least  l/p(n),  which  is  not  even  any 
better  than  taking  a random  guess!  (Moreover,  we  cannot  claim  that  flipping 
the  result  gives  a good  guess  with  high  probability,  either.) 

Instead,  we  design  A'  so  that  it  computes  gl(a:,  r)  and  gl(a:,  r©e*)  by  invoking 
A only  once.  We  do  this  by  having  A'  run  A{x,r®e'^),  and  having  A'  simply 
“guess”  the  value  gl(a;,  r)  itself.  The  naive  way  to  do  this  would  be  to  choose 
the  r’s  independently,  as  before,  and  to  make  an  independent  guess  of  g\{x,r) 
for  each  value  of  r.  But  then  the  probability  that  all  guesses  are  correct  — 
which,  as  we  will  see,  is  needed  if  A'  is  to  output  the  correct  answer  — would 
be  negligible  because  poly nomi ally-many  different  r’s  are  used. 

The  crucial  observation  of  the  present  proof  is  that  A'  can  generate  the  r’s 
in  a pairwise- independent  manner,  and  make  its  guesses  in  a particular  way  so 
that  with  non-negligible  probability  all  of  its  guesses  are  correct.  Specifically, 
in  order  to  generate  m different  values  of  r.  A'  selects  £ = flog(m  +1)] 
independent  and  uniformly-distributed  strings  s^,.  ..,s^  G {0,1}”.  Then, 
for  every  non-empty  subset  I C algorithm  A'  sets  r^  ®iei  5^. 

Since  there  are  2^  — 1 non-empty  subsets,  this  defines  — 1 > m 

different  strings.  Each  such  string  is  uniformly  distributed  when  considered 
in  isolation.  Moreover,  these  strings  are  all  pairwise  independent.  To  see  this, 
notice  that  for  every  two  subsets  I ^ J there  is  an  index  j G / U J such  that 
j ^ I n J.  Without  loss  of  generality,  assume  j G J.  Then,  even  conditioned 
on  some  known  value  of  r^,  nothing  about  the  value  of  s^  is  revealed  and  so 
s^  is  still  uniformly  distributed.  Furthermore,  since  s^  is  included  in  the  XOR 
that  defines  r'^,  we  have  that  is  uniformly  distributed  even  conditioned  on 
some  known  value  of  r^. 
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We  now  have  the  following  two  important  observations; 

1.  Given  the  correct  values  of  gl(x,  s^), . . . , gl(x,  s^),  it  is  possible  to  cor- 
rectly compute  gl(x,  r^)  for  every  non-empty  subset  I C {1, . . . , This 
is  because 

gl(x,r-^)  = gl(x,  ©is/s*)  = ©ig/gl(x,  s"). 

2.  The  values  gl(x,  s^), . . . , gl(x,  s^)  can  all  be  correctly  guessed  with  prob- 

ability 1/2^.  This  holds  because  each  bit  gl(x,  s^)  is  guessed  correctly 
with  probability  1/2  and  there  are  i bits.  If  m is  polynomial  in  the 
security  parameter  n,  it  follows  that  2^  is  also  polynomial  in  n.  Thus, 
with  non- negligible  probability  it  is  possible  to  correctly  guess  all  the 
values  gl(x,  gl(x,  s^). 

Combining  the  above,  we  see  that  this  yields  a way  of  obtaining  m = poly(n) 
pairwise-independent  strings  {r^}  along  with  eorreet  values  for  {gl(x,r-^)}, 
for  all  /,  with  non-negligible  probability.  These  values  can  then  be  used  to 
compute  Xi  in  the  same  way  as  in  the  proof  of  Proposition  6.15.  Details  follow. 

The  inversion  algorithm  A'.  We  now  provide  a full  description  of  an 
algorithm  A'  that  receives  input  y and  tries  to  compute  an  inverse  of  y.  The 
algorithm  proceeds  as  follows; 

1.  Set  n \y\  and  ^ ;=  \\og{2n/e{nY  + 1)1-  ... 

2.  Choose  s^, . . . , -t—  {0,  l}”^  and  cA  ...  ^ {0, 1}  uniformly  at  ran- 

dom. 

/ 

3.  For  every  non-empty  subset  I C {1,. . . ,^},  set  ;=  ©ig/  and  com- 
pute ;=  ®iei  cr'^- 

4.  For  i = 1, . . . , n; 

(a)  For  every  non-empty  subset  I C set 

xl  ;=  © A{y,  ® e^). 

(b)  Set  Xi  ;=  majorityj{xf } (i.e.,  take  the  bit  that  appeared  a majority 
of  the  times  in  the  previous  step). 

5.  Output  X = Xi  • • ■ Xn. 

Analyzing  the  success  probability  of  A'.  It  remains  to  compute  the 
probability  that  A'  successfully  outputs  x G f~^{y).  Similarly  to  the  proof  of 
Proposition  6.15,  we  focus  only  on  the  case  when  y = f{x)  for  x G Sn.  Each 

can  be  viewed  as  a “guess”  for  the  value  of  gl(;r,  s^).  As  noted  earlier,  with 
non-negligible  probability  all  these  guesses  will  be  correct;  we  show  that  when 
this  occurs  then  A'  outputs  x — x with  probability  at  least  1/2.  This  will 
complete  the  proof. 
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Assuming  cr*  = gl(i,  s^)  for  all  z,  each  is  equal  to  the  correct  value  of 
gl(^,r^).  Fix  an  index  i G {l, . . . ,n}  and  consider  the  probability  that  A' 
obtains  the  correct  value  of  Xi.  Because  A{y,r^  0 e*)  = gl(^,r^  © e*)  with 
probability  at  least  ^ + e(n)/2  (this  follows  from  the  facts  that  x G Sn  and 
that  © e%  considered  in  isolation,  is  a uniformly-distributed  string),  we 
know  that 

Pr[4  = ij  = Pr  [A(f(i),r‘  ® e‘)  = gl(4,  r’  ® e*)]  = i + 

for  all  I.  Moreover,  the  }/c{i. are  pairwise  independent  because  the 
{r^} ic{i,...,£}  (and  hence  the  {r^  © are  pairwise  independent. 

Since  Xi  is  defined  as  the  value  that  occurs  a majority  of  the  time  among 
we  are  now  in  a position  to  apply  Proposition  6.18.  Setting  m = 2^  — 1, 
we  have  that 


Pr[®i  ^ Xi]  < 


< 


1 

4 ■ (£(n)/2)2  - (2^  - 1) 

1 

4 • (e(n)/2)2  • (2n/e(n)^) 
1 


2n 


The  above  holds  for  all  i,  so  by  applying  a union  bound  we  see  that  the 
probability  that  Xi  ^ xi  for  some  i is  at  most  1/2.  That  is,  Xi  = Xi  for  all  i 
(and  hence  x = x)  with  probability  at  least  1/2. 

Putting  everything  together:  with  probability  at  least  E{n)j2  it  holds  that 
y = f{x)  with  X G Sn-  Independently  of  this  event,  the  probability  that  all  of 
the  guesses  cr*  are  correct  is  at  least 

1 ^ 1 ^ e{n)^ 

¥ - ~2-  {2n/£{ny + 1)^  5n 


(the  last  inequality  holds  for  n large  enough).  Conditioned  on  both  of  the 
above.  A!  outputs  an  inverse  of  y with  probability  at  least  1/2.  The  overall 
probability  with  which  A!  inverts  its  input  y is  therefore  at  least  e(n)^/20n  = 
1/20  - n ■ p{n)^  for  infinitely- many  values  of  n.  Since  A'  runs  in  polynomial- 
time, this  contradicts  the  one-wayness  of  /.  I 


6.4  Constructing  Pseudorandom  Generators 

We  first  show  how  to  construct  pseudorandom  generators  that  stretch  their 
input  by  a single  bit,  under  the  assumption  that  one-way  permutations  exist. 
We  then  show  how  to  extend  this  to  obtain  any  polynomial  expansion  factor. 
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6.4.1  Pseudorandom  Generators  with  Minimal  Expansion 

Let  / be  a one-way  permutation  and  let  he  be  a hard-core  predicate  of 
/ (such  a predicate  exists  by  Theorem  6.13).  The  starting  point  for  the 
construction  is  the  fact  that  given  /(s)  for  a random  s,  it  is  hard  to  guess 
the  value  of  hc(5)  with  probability  that  is  non-negligibly  higher  than  1/2. 
Thus,  intuitively,  hc(5)  is  a pseudorandom  bit.  Furthermore,  since  / is  a 
permutation,  f{s)  is  uniformly  distributed  (applying  a permutation  to  a uni- 
formly distributed  value  yields  a uniformly  distributed  value).  We  therefore 
conclude  that  the  string  {f{s),hc{s))  is  pseudorandom  and  so  the  algorithm 
= (/('5) ; hc(5))  constitutes  a pseudorandom  generator. 

THEOREM  6.22  Let  f be  a one-way  permutation,  and  let  he  be  a hard- 
eore  predieate  of  f . Then,  the  algorithm  G{s)  = {f{s),hc{s))  is  a pseudoran- 
dom generator  with  £(n)  = n 1. 


PROOF  Let  P be  a probabilistic  polynomial-time  distinguisher,  and  set 


e(n)  is'  Pr  [D{G{a))  = 1]  - Pr  (D(r)  = 1] 

s<— {0,1}'^  r<— 


5<— {0,1}"^  r<— 


Observe  that 


Pr  \D(r)  = 1]  = - Pr  \D(r,r')  - 1] 

r^{0,l}'"+P  r^{0,l}'",r'  — {0,1} 

Pr  [D{f{s),r')  = l] 


using  the  fact  that  / is  a permutation  for  the  first  equality,  and  the  fact  that 
a random  bit  r'  is  equal  to  he (5)  with  probability  exactly  1/2  for  the  second 
equality.  Thus, 

Pr  [T>(/(5),hc(s))  = l]-  P^r  [T>(/(s),  hc(s))  = 1]V 

Consider  the  following  algorithm  A that  is  given  as  input  a value  y = f{s) 
and  tries  to  predict  the  value  of  hc(s); 

1.  Choose  r'  {0, 1}  uniformly  at  random. 

2.  Run  D{y,r').  If  D outputs  1,  output  r';  otherwise  output  1 — r'. 
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By  definition  of  A we  have 
Pr  [A{f{s))  = hc(5)] 

= 1’  P^r  [^(/(s))  = hc(s)  I r' = hc(s)] 

2 s-i— {0,1}" 

= i.f  Pr  [D(/(s),hc(s))  = l]+  Pr  [D(/(s),Ms))=0]) 

2 \s<— {0,1}"  s<— {0,1}"  / 

= l ( Pr,,„[0(/(s),hc(s))  = ll  + (l-  Ft  [D{f{s)M{s))=l])) 

2 \s^-{0,l}"  Sf— {0,1}"  / 

= l + l ( &„J^(/(*).Ms))=ll-  fr,  |D(/(5),Ms))  = 1]) 

2 2 \s-*-{0,l}"  S^-{0,1}"  / 

= ^ +£(«)■ 

Clearly  .4  runs  in  polynomial  time.  Since  he  is  a hard-core  predicate  for  /,  it 
follows  that  there  exists  a negligible  function  negl  for  which  e{n)  < negl(n). 

An  analogous  argument  shows  that  —e{n)  < negl(n).  Taken  together,  this 
means  that 


Pr  [Z)(G(s))  = 1]  — Pr  \D(r)  = 1]  < negl(n), 

s^{0,l}"  ^^_{0,l}"H-d  • ' ^ 

completing  the  proof  that  G is  a pseudorandom  generator. 


6.4.2  Increasing  the  Expansion  Factor 

We  now  show  that  the  expansion  factor  of  a pseudorandom  generator  can 
be  increased  by  any  polynomial  amount.  This  means  that  the  previous  con- 
struction (with  expansion  factor  £(n)  = n -|-  1)  suffices  for  constructing  a 
pseudorandom  generator  with  arbitrary  polynomial  expansion  factor. 

THEOREM  6.23  If  there  exists  a pseudorandom  generator  G with  expan- 
sion factor  £{n)  = n 1,  then  for  any  polynomial  p{n)  > n,  there  exists  a 
pseudorandom  generator  G with  expansion  factor  £{n)  = p{n). 

PROOF  The  idea  behind  the  construction  of  G from  G is  as  follows.  Given 
an  initial  seed  s of  length  n,  the  generator  G can  be  used  to  obtain  n 1 
pseudorandom  bits.  One  of  the  n-\-l  bits  may  be  output,  and  the  remaining  n 
bits  can  be  used  once  again  as  a seed  for  G.  The  reason  that  these  n bits  can 
be  used  as  a seed  is  because  they  are  pseudorandom,  and  therefore  essentially 
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FIGURE  6.1:  Increasing  the  expansion  of  a pseudorandom  generator. 


as  good  as  a truly  random  seed.  This  procedure  can  be  iteratively  applied  to 
output  as  many  bits  as  desired;  see  Figure  6.1. 

We  now  formally  describe  the  construction  of  G.  On  input  s G {0, 1}^: 

1.  Let  p'{n)  = p{n)  — n.  Note  that  this  is  the  amount  by  which  G is 
supposed  to  increase  the  length  of  its  input. 

2.  Set  So  :=  s.  For  z = 1, . . . ,p'{n)  do: 

(a)  Let  s^_j  denote  the  first  n bits  of  Si_i,  and  let  <jj_i  denote  the 
remaining  i — 1 bits.  (When  z = 1,  (Jq  is  the  empty  string.) 

(b)  Set  Sj  :=  (G(Si_i),(Ji_i). 

3.  Output  Sp>^n)- 

Before  proceeding,  note  that  when  z = 1,  Sq  is  the  original  seed  and  in  step  2b 
we  have  s\  = G(sq).  Then,  when  z = 2,  the  string  si  of  length  n + 1 is  split 
into  a prefix  of  length  n,  denoted  arid  a suffix  of  length  1,  denoted  ai.  The 
string  Si  is  used  as  -the  seed  to  G again  and  the  resulting  string  S2  is  of  length 
n + 2 (namely,  it  is  (G(si),  <Ji)).  Observe  that  in  the  next  iteration,  the  last 
two  bits  of  S2  become  CT2  (where  the  first  bit  of  a 2 is  the  last  bit  of  G(s'i) 
and  the  second  bit  of  <J2  is  cri).  Thus,  in  each  iteration  a single  extra  bit  is 
generated,  and  this  is  incorporated  into  the  “cr  part” . For  this  reason,  the  ai 
values  grow  by  one  in  length  in  each  iteration,  as  demonstrated  in  Figure  6.1. 

We  prove  that  G(s)  is  a pseudorandom  string  of  length  p{n).  We  begin  by 
proving  this  for  the  simple  case  of  p{n)  = rz  + 2. 

Define  three  sequences  of  distributions  {H^},  {H^},  {H^},  where  each  of 
HI,  Hi  and  i/3  is  a distribution  on  strings  of  length  rz  + 2.  In  distribution 
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the  string  Sq  {0,1}”^  is  chosen  uniformly  at  random  and  the  output 
is  G{sq).  In  distribution  the  string  Si  {0,  is  chosen  uniformly 

at  random  and  then  G is  run  as  above  but  starting  from  iteration  i = 2. 
That  is,  parse  Si  as  with  |Sj|  = n,  and  then  output  (G(sj),(ji).  In 

distribution  the  string  S2  <—  is  chosen  uniformly  at  random 

and  output.  We  denote  by  S2  77^  the  choice  of  the  {n  + 2)-bit  string  S2 
according  to  distribution  Hf. 

We  first  claim  that  for  any  probabilistic  polynomial-time  distinguisher  D 
there  exists  a negligible  function  negl  such  that 

< negl(n).  (6-4) 

To  see  this,  fix  some  D and  consider  the  polynomial- time  distinguisher  D' 
that,  on  input  w € {0,  sets  Si  :=  w and  then  runs  G as  above  but 

starting  from  iteration  i = 2.  This  yields  a string  S2,  and  then  D'  outputs 
D{s2).  The  following  observations  are  immediate  from  the  syntactic  defini- 
tions of  and  Hf: 

1.  If  w is  chosen  uniformly  at  random,  the  distribution  on  S2  generated  by 
D'  is  exactly  that  of  distribution  77^.  Thus, 

= 11. 

2.  Ifit;  = G(s)  for  s {0,  chosen  uniformly  at  random,  the  distribu- 
tion on  S2  generated  by  D'  is  exactly  that  of  distribution  77®.  I.e., 

= 11  = =11- 

Pseudorandomness  of  G implies  that  there  exists  a negligible  function  negl 
such  that 


Pr  [7^(s2)  = 1]-  Pr  [D(s2)  = 1] 


Ft  [D'{G{s)) 


1] 


Pr  \D'{w) 


1] 


< negl(n). 


Equation  (6.4)  follows. 

We  next  claim  that  for  any  probabilistic  polynomial-time  distinguisher  D 
there  exists  a negligible  function  negl  such  that 


Pr  [T»(52) 

S2^H^ 


1] 


Pr  P(«2)  = 1] 


< negl(n). 


(6.5) 


The  proof  is  very  similar.  Consider  the  polynomial-timer-distinguislier  ~7?' 
that,  on  input  w e {0, 1},!"' -chooses  ai  {0,1}  uniformly  at  random, 
sets  S2  {w,  (7i),  and  outputs ~D(s2).  Notice  that  if  w }s  chosen  uniformly  at 
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random  then  S2  is  uniformly  distributed  and  so  is  distributed  exactly  according 
to  Thus, 

Pr  [D'M  = 1J=  Pr  p(s2)  = l]. 

On  the  other  hand,  if  w = G{s)  for  s ^ {0,1}’^  chosen  uniformly  at  random 
then  S2  is  distributed  exactly  according  to  and  so 

Pr  |D'(GW)  = 1]=  Pr  [Dfe)  = l]. 

As  before,  pseudorandomness  of  G implies  Equation  (6.5). 

Fix  some  probabilistic  polynomial- time  distinguisher  D.  We  have 


Pr  [D(G(s))  = 1] 

S'*— {0,1}’^ 


Pr  [i:>(r)  = 1] 


(6.6) 


< 


Pr  [D{s2)  = 1]-  Pr  [D(s2)  = 1] 

S2<r~Hg 

Pr  [D[s2)  = 1]-  Pr  [D{s2)  = 1] 

s2^h°  S2^m 


4" 


Pr  [D{s2)  = 1]-  Pr  [Z)(s2)  = 1] 

S2*~HI 


Using  Equations  (6.4)  and  (6.5),  we  conclude  that  Equation  (6.6)  is  negligible. 

The  full  proof.  We  now  give  a proof  for  arbitrary  p{n).  The  main  difference 
here  is  a technical  one:  in  the  case  of  p(n)  = n 4-  2 we  could  define  and 
explicitly  work  with  three  sequences  of  distributions 

Here,  in  contrast,  we  will  (in  some  sense)  need  to  deal  with  infinitely-many 
sequences  of  distributions.  Instead  of  dealing  with  these  explicitly,  we  deal 
with  them  implicitly  using  a common  technique  known  as  a hybrid  argument. 
(Actually,  even  the  case  of  p{n)  = 2 utilized  a simple  hybrid  argument.) 

Let  p'{n)  = p{n)—n.  For  any  n and  0 < j < p'{n),  let  be  the  distribution 
on  strings  of  length  p{n)  defined  as  follows:  choose  Sj  ■<—  {0, uniformly 
at  random  and  then  run  G starting  from  iteration  i = jf  -f-  1 and  output 
(When  j = p'{n)  this  means  we  simply  choose  Sp'(n)  {0,1}^^’^^ 
uniformly  at  random  and  output  it.)  The  crucial  observation  here  is  that 
corresponds  to  outputting  G{s)  for  s {0, 1}”  chosen  uniformly  at  random, 
while  Hn  corresponds  to  outputting  a p(n)-bit  string  chosen  uniformly  at 
random.  Fixing  any  polynomial-time  distinguisher  D,  this  means  that 


, \ def 

£{n)  = 


Pr  [G(G(s))  = l]-  Pr  p(r)  = l] 

s-*~{0,l}^  r<— 


(sp/ 


^p' {tl)  ■* 


V [i:>(V(n))  = 1] 

^r>P  (ri.'S 


(6.7) 


219 


* Theoretical  Constructions  of  Pseudorandom  Objects 


Our  goal  is  to  prove  that  e is  negligible,  implying  that  G is  a pseudorandom 
generator. 

Fix  D as  above,  and  consider  the  distinguisher  D'  that  does  the  following 
when  given  a string  w € as  input; 

1.  Choose  j {1, . . . ,p'{n)}  uniformly  at  random. 

2.  Choose  CTj  ■«—  {0,  uniformly  at  random. 

3.  Set  Sj  ;=  {w,<7j).  Then  run  G starting  from  iteration  z = j + 1 and 
compute  Spf^ri)-  Output  D{Sp>(^n))- 

Analyzing  the  behavior  of  D'  is  more  complicated  than  before,  though  the  un- 
derlying ideas  are  the  same.  Fix  n and  say  D'  chooses  j = J.  If  tc  {o,ir+i 
was  chosen  uniformly  at  random,  then  sj  is  uniformly  distributed,  and  so  the 
distribution  on  Sp>^n)  is  exactly  that  of  distribution  That  is, 

,0  = 1 I i = = Pr  _[i3(V(n))  = 1]. 

Since  each  value  for  j is  chosen  with  equal  probability. 


Pr  = 1] 


, p'(n) 

——  ■ y Pr  [D'{w)  = 1 I j 


-J] 


p'{n) 


(6.8) 


On  the  other  hand,  say  D'  ehoeses  j = J and  w — G{s)  for  s {0, 1}” 
chosen  uniformly  at  random.  Mentally  setting  sj_i  = (s,aj),  we  see  that 
sj_i  is,  uniformly  distributed  and  so  the  distribution  on  Spq^)  is  now  exactly 
that  of  distribution  . That  is, 

Pr  [^'(^(s))  = l\j  = J\=  Pr  [D(v(n))  = 1] 


and  then 


p'{n) 


Pr  [T>'(G(s))  = 1]  = • V Pr  [D\G{s))  = 1 | j = J] 


p'{n) 


- p/(^)  ■ ^ Pr  [T>(v(n))  - 1] 


p'{n) 


p'(n)-l 

E 

j=o 


Pr  [D(v(n))  = l].  (6.9) 


(n) 
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(Note  that  the  indices  of  summation  have  been  shifted  in  the  final  step.)  We 
can  now  analyze  how  well  D'  distinguishes  outputs  of  G fi*om  random: 


Pr  [i:>'(G(s))  = 1]  - Pr  \D'(w)  = 1] 

p'{n)  — l ^ p'{n) 


p'{n) 

1 

p'{n) 


-Hi 


= 1] 


j_Q  J=1 

Pr  „J^(V(n))  = 1]  - Pr  [i)(Sp.(n))  = 1] 


g(r^) 

p'{n)  ’ 


relying  on  Equations  (6.8)  and  (6.9)  for  the  first  equality  and  Equation  (6.7) 
for  the  final  equality.  (The  second  equality  is  due  to  the  fact  that  the  same 
terms  are  included  in  each  sum,  except  for  the  first  term  of  the  left  sum  and  the 
last  term  of  the  right  sum.)  Since  G is  a pseudorandom  generator,  D'  runs  in 
polynomial  time,  and  p'  is  polynomial,  we  conclude  that  e is  negligible.  | 


The  hybrid  technique.  The  hybrid  technique  is  used  in  many  proofs  of  secu- 
rity and  is  a basic  tool  for  proving  indistinguishability  when  a basic  primitive 
is  applied  multiple  times.  The  technique  works  by  defining  a series  of  hybrid 
distributions  that  bridge  between  two  “extreme  distributions”,  these  being 
the  distributions  that  we  wish  to  prove  indistinguishable  (in  the  proof- above, 
these  correspond  to  the  output  of  G and  a random  string,  respectively) . To 
apply  the  proof  technique,  three  conditions  should  hold.  First,  the  extreme 
hybrids  should  match  the  original  cases  of  interest  (in  the  proof  above,  this 

means  that  was  equal  to., the  distribution  induced  by  G,  while  Hn 
was  equal  to  the  uniform  distribution).  Second,  it  must  be  possible  to  trans- 
late the  capability  of  distinguishing  neighboring  hybrids  into  the  capability  of 
breaking  some  underlying  assumption  (above,  distinguishing  77^  from 
was  essentially  equivalent  to  distinguishing  the  output  of  G fi-om  random). 
Finally,  the  number  of  hybrids  should  be  polynomial,  so  the  “distinguishing 
success”  is  only  reduced  by  a polynomial  factor. 

An  explicit  generator  with  arbitrary  expansion  factor.  Let  / be  a one- 
way permutation  with  hard-core  predicate  he.  By  combining  the  construction 
of  Theorem  6.22  (that  states  that  G(s)  = (/(s),  hc(s))  is  a pseudorandom 
generator)  with  the  proof  of  Theorem  6.23,  we  obtain  that 

G{s)  = (/"'<">(«),  he  (/'’'<">-'(«))  . • ■ ■ .Ms)) 

is  a pseudorandom  generator  with  expansion  factor  p{n)  — n -\-p'{n).  This 
generator  is  known  as  the  Blum-Micali  generator. 
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Modern  stream  cipher  design.  Many  modern  stream  ciphers  work  by 
maintaining  a pseudorandom  internal  state,  much  as  in  the  construction  of  G 
shown  above.  In  each  iteration  of  the  generator,  some  pseudorandom  bits 
are  output  and  the  internal  state  is  updated.  The  construction  described  in 
Theorem  6.23  (and  in  Figure  6.1)  works  in  exactly  this  way,  except  that  for  a 
stream  cipher  only  the  Oi  values  are  output  (and,  in  particular,  is  not 

output)  so  that  unbounded  expansion  can  be  achieved.  The  preceding  proof 
validates  this  design  principle  for  stream  ciphers,  since  it  shows  that  in  some 
circumstances  it  can  be  used  to  achieve  a provably-secure  construction. 


6.5  Constructing  Pseudorandom  Functions 

Having  shown  how  to  construct  pseudorandom  generators  from  one-way 
permutations,  we  continue  and  show  how  to  construct  pseudorandom  func- 
tions from  pseudorandom  generators.  As  defined  in  Section  3.6.1,  a pseudoran- 
dom function  is  an  efficiently-computable  keyed  function  that  looks  random 
to  any  polynomial-time  distinguisher;  recall,  this  distinguisher  receives  oracle 
access  to  either  a truly  random  function  or  a pseudorandom  one. 

We  motivate  the  full  construction  by  the  following  short  example.  Let  G be 
a pseudorandom  generator  with  expansion  factor  £{n)  = 2n  (i.e.,  G is  length 
doubling),  and  denote  G{s)  = (Gq(s),  Gi(s)),  where  js]  = |Go(s)l  = lGi(s)|  = 
n.  That  is,  the  seed  length  is  n,  Gq(s)  denotes  the  first  half  of  the  output 
of  G(s),  and  Gi(s)  denotes  the  second  half  of  the  output.  We  now  use  G to 
construct  a keyed  function,  using  aii  n-bit  key,  that  takes  a single  hit  for  input 
and  outputs  strings  of  length  n.  For  a key  k,  define; 

Ffe(O)  =^Go(A;)  and  Ffe(l)  Gi(fc). 

We  claim  that  this  function  is  pseudorandom.^  This  follows  immediately  from 
the  fact  that  G is  a pseudorandom  generator;  A random  function  mapping  one 
bit  to  n bits  is  defined  by  a table  of  two  n-bit  values,  each  of  which  is  chosen 
at  random.  Here,  we  have  defined  a keyed  function  by  what  is  essentially 
a table  of  two  n-bit  values,  each  of  which  is  pseudorandom.  Thus,  Fk  (for 
randomly-chosen  k)  cannot  be  distinguished  from  a random  function  by  any 
polynomial-time  algorithm. 


^Our  formal  definition  of  pseudorandom  functions  (Definition  3.23)  assumes  a length- 
preserving function  having  {0, 1}”  as  its  domain  and  range.  The  definition  can  be  extended 
in  the  obvious  way  for  functions  having  an  arbitrary  domain  and  range. 
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We  now  take  this  construction  a step  further  and  define  a pseudorandom 
function  that  takes  a two-bit  input.  For  a key  k,  define: 

Ffc(OO)  = Go(Go(A:))  Ffc(lO)  = Go(Gi  (A:)) 

Ffc(Ol)  = Gi(Go(A:))  Ffc(ll)  = G^{Gi{k)). 

We  now  claim  that  the  four  strings  Go{Go{k)),  Go{Gi{k)),  G\{Go{k)),  and 
G\{G\{k))  are  pseudorandom,  even  when  viewed  together.  (As  above,  this 
suffices  to  prove  that  the  function  Fk  is  pseudorandom.)  Indeed,  consider  the 
following  hybrid  distribution: 

Go{ko),  Gi{ko),  Go(ki),  Gi{ki), 

where  ko,  k\  {0, 1}”  are  independent,  uniformly-distributed  strings.  In  this 
hybrid  distribution,  the  random  string  ko  takes  the  place  of  GQ{k)  and  the 
random  string  k\  takes  the  place  of  Gi{k).  Now,  if  it  is  possible  to  distinguish 
the  hybrid  distribution  from  the  original  distribution,  then  we  would  be  able 
to  distinguish  between  the  pseudorandom  string  G{k)  = {Go{k),G\{k))  and 
a truly  random  string  (^1,^2),  in  contradiction  to  the  pseudorandomness  of 
G.  Likewise,  if  it  is  possible  to  distinguish  the  hybrid  distribution  from  a 
truly  random  string  of  length  4n,  then  it  would  be  possible  to  distinguish 
either  G{ko)  = (Go(^o),  <^i(A:o))  from  a truly  random  string  of  length  2n,  or 
G{k\)  — {Go{ki),Gi{ki))  from  a truly  random  string  of  length  2,n.  Once 
again,  this  contradicts  the  pseudorandomness  of  G.  Combining  the  above,  we 
have  that  the  four  strings  are  pseudorandom,  and  so  the  function  defined  is 
also  pseudorandom.  The  formal  proof  of  this  fact  is  left  as  an  exercise. 

We  can  generalize  the  above  constructions,  to  obtain  a pseudorandom  func- 
tion on  n-bit  inputs  by  defining 

where  x — x\  • • ■ Xn',  see  Construction  6.24.  The  intuition  for  why  this  function 
is  pseudorandom  is  the  same  as  before,  but  the  formal  proof  is  now  compli- 
cated by  the  fact  that  there  are  now  exponentially-many  values  to  consider 
(namely,  Ffc(0  • • • 0)  through  Fk{l  ■ ■ ■ 1)). 


CONSTRUCTION  6.24 

Let  G be  a pseudorandom  generator  with  expansion  factor  i(n)  = 2n. 
Denote  by  Go{k)  the  first  half  of  G’s  output,  and  by  Gi{k)  the  sec- 
ond half  of  G’s  output.  For  every  k G {0, 1}”,  define  the  function 
Fk  : {0,  1}”  {0, 1}”  as: 

Fk(xiX2  • ■ • Xn)  = Gxn  (•  • ■ (Gx2  (Gxi  (k)))  • • • ) ■ 


A pseudorandom  function  from  a pseudorandomt  generator. 
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This  construction  can  be  viewed  as  a full  binary  tree  of  depth  n,  defined  as 
follows  (see  Figure  6.2).  The  value  at  the  root  equals  the  key  k.  Then,  for 
any  node  of  value  k\  the  left  child  of  k'  has  value  Go  (A:')  and  the  right  child  of 
k'  has  value  Gi(fc').  The  value  of  Fk{x)  ior  x — x-^  Xn  is  then  equal  to  the 
value  at  the  leaf  that  is  reached  by  traversing  the  tree  according  to  x (that 
is,  Xi  — 0 means  “go  left  in  the  tree” , and  Xi  — 1 means  “go  right” ) . We 
stress  that  the  function  is  only  defined  for  inputs  of  length  n,  and  thus  only 
values  in  the  leaves  are  ever  output.  The  size  of  the  tree  is  exponential  in  n;  in 
particular,  there  are  2'^  leaves.  Nevertheless,  to  compute  the  function  Fk{x) 
we  never  need  to  construct  and  store  the  entire  tree  explicitly.  Rather,  we 
only  need  to  compute  the  values  on  the  path  from  the  root  to  the  appropriate 
leaf. 


F^(Oll)  = Gi  (Gi  (Go(^))) 


FIGURE  6.2:  Constructing  a pseudorandom  function. 

THEOREM  6.25  If  G is  a pseudorandom  generator  with  expansion  factor 
£{n)  — 2n,  then  Construction  6.-24  is  a pseudorandom  function. 


PROOF  (Sketch)  The  proof  serves  as  another  example  of  the  hybrid  tech- 
nique. Let  D be  a probabilistic  polynomial- time  distinguisher  that  is  given 
along  with  oracle  access  to  a function  that  is  either  equal  to  a randomly- 
chosen  function  / mapping  n-bit  strings  to  n-bit  strings,  or  is  equal  to  Fk  for 
a randomly- chosen  key  k. 

We  define  a sequence  of  distributions  on  binary  trees.  By  associating  the 
values  at  the  leaves  of  any  given  binary  tree  of  depth  n with  strings  of  length  n 
(as  in  Figure  6.2),  we  can  equivalently  think  of  these  as  being  distributions 
over  functions.  Let  for  0 < z < n,  denote  the  following  distribution  over 
binary  trees  of  depth  n:  values  for  the  nodes  at  level  i are  chosen  independently 
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and  uniformly  at  random  from  {0,  the  value  of  any  node  at  level  j 
is  determined  by  looking  at  the  value  k'  of  this  node’s  parent  and  setting  the 
value  of  this  node  equal  to  Go{k')  if  it  is  a left  child  and  setting  the  value 
equal  to  G\{k')  if  it  is  a right  child.  (Note  that,  viewing  this  as  a function, 
values  of  nodes  at  levels  0 though  2 — 1 are  irrelevant.) 

Notice  that  is  a truly  random  function  mapping  n-bit  strings  to  n- 
bit  strings,  because  the  values  of  all  the  leaves  (i.e.,  nodes  at  depth  n)  are 
chosen  uniformly  and  independently  at  random.  On  the  other  hand,  is 
exactly  Construction  6.24  for  a uniformly-chosen  key,  since  only  the  root  (at 
level  0)  is  chosen  at  random  and  the  value  of  every  other  node  in  the  tree  is 
a deterministic  function  of  the  value  of  the  root. 

Using  a hybrid  argument  as  in  the  proof  of  Theorem  6.23,  we  obtain  that 
if  a polynomial-time  distinguisher  D can  distinguish  Construction  6.24  from 
a truly  random  function  with  non-negligible  probability,  then  there  must  be 
values  2 for  which  can  be  distinguished  from  with  non-negligible 

probability.  We  can  use  this  to  distinguish  the  pseudorandom  generator  from 
random.  Intuitively  this  follows  because  the  only  difference  between  the  neigh- 
boring hybrid  distributions  and  is  that  in  the  pseudorandom 

generator  G is  applied  for  one  additional  level  on  the  way  from  the  root  to 
the  leaves  of  the  tree.  The  actual  proof  is  trickier  than  this  because  we  can- 
not hold  the  entire  {i  -|-  1)*^  level  of  the  tree  (it  may  be  exponential  in  size). 
Rather,  let  t(n)  be  the  maximum  running-time  of  the  distinguisher  D who 
manages  to  distinguish  Construction  6.24  from  a random  function.  It  follows 
that  D makes  at  most  t(n)  oracle  queries  to  its  oracle  function.  Now,  let  D' 
be  a distinguisher  for  G that  receives  an  input  of  length  2n-t(n)  that  is  either 
truly  random  pr  ,i(n)  invocations  of  G{s)  with  independent  random  values  of  s 
each  time.  (Although  we  have  not  shown  it  here,  it  is  not  difficult  to  show 
that  all  of  these  samples  together  constitute  a pseudorandom  string  of  length 
2t2  • Then,  D'  chooses  a random  i {0, .. . ,n  — 1}  and  answers  £)’s  - 

oracle  queries  as  follows,  initially  holding  an  empty  binary  tree.  Upon  receiv- 
ing a query  x = x\  ■ ■ ■ Xn  from  distinguisher  D'  uses  x^  - • ■ Xi  to  reach  a 
node  on  the  2*^  level.  Then,  D'  takes  one  of  its  input  samples  (of  length  2n) 
and  labels  the  left  child  of  the  reached  node  with  the  first  half  of  the  sample 
and  the  right  child  with  the  second  half  of  the  sample.  D'  then  continues  to 
compute  the  output  as  in  Construction  6.24.  Note  that  in  future  queries,  if 
the  input  x brings  D'  to  a node  that  has  already  been  filled,  then  D'  answers 
consistently  to  the  value  that  already  exists  there.  Otherwise,  D'  uses  a new 
sample  from  its  input.  (Notice  that  D'  fills  the  tree  dynamically,  depending 
on  Z)’s  queries.  It  does  this  because  the  full  tree  is  too  large  to  hold.) 

The  important  observations  are  as  follows; 

1.  HD'  receives  a truly  random  string  of  length  2n  • t{n),  then  it  answers 
D'  exactly  according  to  the  distribution  . This  holds  because  all 

the  values  in  level  2 -|-  1 in  the  tree  that  are  (dynamically)  constructed 
by  D'  are  random. 
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2.  If  D'  receives  pseudorandom  input  (i.e.,  t{n)  invocations  of  G{s)  with 
independent  values  of  s each  time) , then  it  answers  D'  exactly  according 
to  This  holds  because  the  values  in  level  i + 1 are  pseudorandom  and 
generated  by  G,  exactly  as  defined.  (The  seeds  to  these  pseudorandom 
values  are  not  known  to  D'  but  this  makes  no  difference  to  the  result.) 

Using  a hybrid  analysis  as  in  the  proof  of  Theorem  6.23,  we  see  that  if  D 
distinguishes  Construction  6.24  from  a truly  random  function  with  probability 
£{n),  then  D'  distinguishes  t{n)  invocations  of  G{s)  from  a truly  random 
string  of  length  2n  • t{n)  with  probability  e{n)/n.  If  e{n)  is  non-negligible, 
this  contradicts  the  assumption  that  G is  a pseudorandom  generator.  | 


6.6  Constructing  (Strong)  Pseudorandom  Permutations 

In  this  section,  we  show  how  pseudorandom  permutations  and  strong  pseu- 
dorandom permutations  can  be  constructed  from  pseudorandom  functions. 
Recall  from  Section  3.6.3  that  a pseudorandom  permutation  is  a pseudoran- 
dom function  F that  is  also  efficiently  invertible  (this  implies  that  Fk  is  a 
permutation  for  any  key  fc),  while  a strong  pseudorandom  permutation  is 
additionally  hard  to  distinguish  from  a random  permutation  even  by  an  ad- 
versary given  oracle  access  to  both  the  permutation  and  its  inverse. 

Feistel  networks  revisited.  A Feistel  network,  introduced  in  Section  5.2, 
is  a way  of  constructing  an  invertible  function  from  non-invertible  operations. 
In  some  sense,  this  is  exactly  what  we  wish  to  do  here.  A Feistel  network 
operates  in  a series  of  rounds.  We  view  the  input  to.  the  ith  round  as  a string 
of  length  2n,  divided  into  two  n-bit  halves  L{-i  and  Ri~i  (the  “left  half”  and 
the  “right  half” , respectively) . The  output  of  the  ith  round  will  be  the  2n-bit 
string  {Li,Ri)  where 

Ti  '• — Ri — 1 and  . — Tj — — i) 

for  Some  efficiently-computable  (but  not  necessarily  invertible)  round  func- 
tion fi  mapping  n-bit  inputs  to  n-bit  outputs. 

Let  us  denote  by  Feistel the  r-round  Feistel  network  using  round 
functions  /i, . . . , fr-  (That  is,  Feistely^^...^y^(Lo,  Ro)  outputs  the  2n-bit  string 
{Lj.,  Rr)-)  We  saw  in  Section  5.2  that  for  every  value  of  r,  Feistel/^ is  an 
efficiently-invertible  permutation  regardless  of  the  round  functions  {fi}.  In 
particular,  this  means  that  if  F is  a pseudorandom  function  then  F^^^  defined 
as 

F^\x)  Feistel^^^  (a:) 

is  a keyed  permutation.  (Note  that  F^^  is  a permutation  over  {0, 1}^”  when 
fce{0,l}^.)  However,  is  F^^'>  pseudorandom? 
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FIGURE  6.3:  A four-round  Feistel  network,  as  used  to  construct  a strong 

pseudorandom  permutation  from  a pseudorandom  function. 


A little  thought  shows  that  is  decidedly  not  pseudorandom.  For  any 
key  k E {0, 1}”,  the  first  n bits  of  the  output  of  (that  is,  Li)  are  equal 
to  the  last  n bits  of  the  input  (i.e.,  i?o),  something  that  occurs  with  only 
negligible  probability  for  a random  function.  Continuing  in  this  vein,  we  can 
define  a keyed  permutation  F^"^^  : {0, 1}^”  x {0, 1}  — — ^ {0, 1}^”  as  follows: 


(Note  that  ki  and  k2  are  independent  keys.)  Unfortunately,  is  not  pseu- 
dorandom either,  as  you  are  asked  to  show  in  Exercise  6.18. 

Given  the  above,  it  may  be  somewhat  surprising  that  a three-round  Feistel 
network  is  pseudorandom.  That  is,  define  the  keyed  function  F^^\  taking  a 
key  of  length  3n  and  mapping  2n-bit  inputs  to  2n-bit  outputs,  as  follows: 


^(3) 

kx,k2,ks 


{x)  = Feistel 


(6.11) 


where,  once  again,  ki,k2,  and  ks  are  chosen  independently.  It  is  possible  to 
prove  the  following  result: 


THEOREM  6.26  If  F is  a length-preserving  pseudorandom  function,  then 
F^^^  is  a pseudorandom  permutation  that  maps  2n-bit  strings  to  2n-bit  strings 
( and  uses  a key  of  length  3n) . 
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is  not  strongly  pseudorandom  (you  are  asked  to  demonstrate  this  in 
Exercise  6.19).  Fortunately,  adding  a fourth  round  does  yield  a strong  pseu- 
dorandom permutation.  The  details  are  given  as  Construction  6.27;  see  also 
Figure  6.3. 


CONSTRUCTION  6.27 

Let  F be  length-preserving,  keyed  function.  Define  the  keyed  permuta- 
tion as  follows: 

• Inputs:  A key  k E {0,1}'^"^  parsed  as  k = (k\,  k2,  ks,  k4)  with 
|fci|  = n,  and  an  input  x E {0,  1}^"^  parsed  as  (Lo,Ro)  with  |Lo|  = 

|Fo|  = n. 

• Computation: 

1.  Compute  L\  :=  Ro  and  Ri  :=  Lo  0 Fki(Ro)- 

2.  Compute  L2  :=  Ri  and  f?2  :=  Li  0 Fk2(Ri)- 

3.  Compute  L3  :=  R2  and  Rz  L2  ® Fkz{R2)- 

4.  Compute  La  :=  Rz  and  i?4  :=  L3  0 Fk^iRz)- 

5.  Output  (Z/4,  F4). 

A strong  pseudorandom  permutation  from  any  pseudorandom  function. 

THEOREM  6.28  If  F is  a length-preserving  pseudorandom  function,  then 
Construction  6.27  is  a strong  pseudorandom  permutation  that  maps  2n-bit 
strings  to  2n-bit  strings  {and  uses  a key  of  length  4n). 

The  proofs  of  Theorems  6.26  and  6.28  are  technical  and  are  omitted,  and 
we  refer  to  [64]  for  those  interested. 


6.7  Necessary  Assumptions  for  Private-Key  Cryptography 

Summing  up  what  we  have  seen  so  far  in  this  chapter: 

1 . If  there  exists  a one-way  permutation,  then  there  exists  a pseudorandom 
generator. 

2.  If  there  exists  a pseudorandom  generator,  then  there  exists  a pseudo- 
random function. 

3.  If  there  exists  a pseudorandom  function,  then  there  exists  a (strong) 
pseudorandom  permutation. 

Thus,  pseudorandom  generators  and  permutations  can  be  achieved  assuming 
the  existence  of  one-way  permutations.  In  actuality,  it  is  possible  to  construct 
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pseudorandom  generators  from  any  one-way  function,  though  we  did  not  prove 
this  here.  In  any  case,  we  have  the  following  fundamental  theorem; 

THEOREM  6.29  If  there  exist  one-way  functions,  then  there  exist  pseudo- 
random generators,  pseudorandom  functions,  and  strong  pseudorandom  per- 
mutations. 

All  of  the  private-key  schemes  that  we  have  studied  in  Chapters  3 and  4 can 
be  constructed  from  pseudorandom  generators  and  pseudorandom  functions. 
We  therefore  have: 

THEOREM  6.30  If  there  exists  a one-way  function,  then  there  exists 
an  encryption  scheme  that  has  indistinguishable  encryptions  under  a chosen- 
ciphertext  attack,  and  a message  authentication  code  that  is  existentially  un- 
forgeable  under  a chosen  message  attack. 

Stated  informally,  one-way  functions  are  sufficient  for  all  private-key  cryp- 
tography. Given  this,  we  may  wonder  whether  one-way  functions  are  also 
necessary.  In  the  rest  of  this  section,  we  show  that  this  is  indeed  the  case. 

Pseudorandomness  implies  one-way  functions.  We  begin  by  showing 
that  the  existence  of  pseudorandom  generators  implies  the  existence  of  one- 
way fimctions: 

PROPOSITION  6.31  If  there  exists  a pseudorandom  generator,  then 
there  exists  a one-way  function. 

PROOF  Let  G be  a pseudorandom  generator  with  expansion  factor  of 
i{n)  — 2n.  (By  Theorem  6.23,  we  know  that  the  existence  of  a pseudorandom 
generator  implies  the  existence  of  one  with  this  expansion  factor.)  We  show 
that  G itself  is  one-way.  Efficient  computability  is  straightforward  (since  G 
can  be  computed  in  polynomial  time).  We  show  that  the  ability  to  invert  G 
can  be  translated  into  the  ability  to  distinguish  the  output  of  G from  random. 
Intuitively,  this  holds  because  the  ability  to  invert  G implies  the  ability  to 
find  the  seed  used  by  the  generator. 

Let  .4  be  a probabilistic  polynomial-time  algorithm,  and  define 

e(n)  Pr[lnvert^,G(«')  = 1] 

(cf.  Definition  6.1).  Construct  the  following  distinguisher  D that  runs  in 
polynomial  time:  on  input  a string  w G {0, 1}^",  run  A{w)  to  obtain  output  x. 
If  G{x)  — w then  output  1;  otherwise,  output  0. 

We  now  analyze  the  behavior  of  D.  First  consider  the  probability  that  D 
outputs  1 when  its  input  string  w is  chosen  at  random.  Since  there  are  at 
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most  values  in  the  range  of  G (namely,  the  values  {G(s)}sg^o  ijTi),  the 
probability  that  w is  in  the  range  of  G is  at  most  2“’^.  When  this  is  not  the 
case,  it  is  impossible  for  A to  compute  an  inverse  of  w and  thus  impossible 
for  D to  output  1.  We  conclude  that 


W 


Pr  [Diw)  = 1]  < 2-". 


On  the  other  hand,  if  w = G{s)  for  a seed  s G {0,  chosen  uniformly 
at  random,  then,  by  definition,  A computes  a correct  inverse  (and  so  D out- 
puts 1),  with  probability  exactly  e{n).  We  thus  see  that 


Pr  [Diw)  = 1]  — Pr 

-{o,ipD  s^{0AY 


[D(G(s))  = l] 


>£{n)-  — 
— V / 2'^ 


Since  G is  a pseudorandom  generator,  there  exists  a negligible  function  negl 
for  which  e{n)  — ^ < negl(n).  We  conclude  that  £{n)  is  negligible,  proving 
that  G is  a one-way  function.  | 


Private-key  encryption  schemes  imply  one-way  functions.  Proposi- 
tion 6.31  tells  us  that  if  we  want  to  build  pseudorandom  generators  or  func- 
tions, then  we  need  to  assume  that  one-way  functions  exist.  This  does  not 
immediately  imply  that  one-way  functions  are  needed  for  constructing  secure 
private-key  encryption  schemes,  since  it  may  be  possible  to  construct  secure 
encryption  schemes  without  relying  on  these  primitives.  Furthermore,  it  is 
possible  to  construct  perfectly-secret  encryption  schemes  (see  Chapter  2),  as 
long  as  the  plaintext  is  no  longer  than  the  key.  Thus,  the  proof  that  secure 
private-key  encryption  implies  one-way  function  must  be  more  subtle. 

We  now  prove  that  an  encryption  scheme  satisfying  the  weakest  definition 
of  security  we  have  considered  (namely,  a scheme  having  indistinguishable 
encryptions  in  the  presence  of  an  eavesdropper)  implies  the  existence  of  a 
one-way  function. 

PROPOSITION  6.32  If  there  : exists  a private-key  encryption  scheme 
that  has  indistinguishable  encryptions  in  the  presence  of  an  eavesdropper  ( as 
in  Definition  3.8),  then  there  exists  a one-way  function. 

PROOF  We  rely  in  the  proof  on  the  fact  that  Definition  3.8  requires  se- 
curity to  hold  for  the  encryption  of  arbitrary-length  messages.  Actually,  all 
we  need  is  for  the  encryption  scheme  to  support  the  encryption  of  messages 
longer  than  the  key.  Importantly,  the  theorem  does  not  hold  for  encryption 
schemes  (such  as  the  perfectly-secure  one-time  pad)  that  encrypt  messages  of 
length  equal  to  the  key. 

Let  n = (Gen,  Enc,  Dec)  be  a private- key  encryption  scheme  that  has  in- 
distinguishable encryptions  in  the  presence  of  an  eavesdropper.  Assume  that 
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when  an  n-bit  key  is  used,  Enc  uses  at  most  £{n)  bits  of  randomness  in  order  to 
encrypt  a plaintext  message  of  length  2n.  Denote  an  encryption  of  a message 
m with  key  k and  random  coins  r by  Encfc(m;  r). 

Define  a function  / by 

f{k,m,r)^=  (Encfe(m;r),m), 

where  |fc|  = n,  \m\  — 2n,  and  |r|  = £{n).  We  claim  that  / is  a one-way 
function.  The  fact  that  it  can  be  efficiently  computed  is  immediate.  We  show 
that  it  is  hard  to  invert.  Let  ^ be  a probabilistic  polynomial- time  algorithm 
and  set 

e(n)  Pr[lnvert^j(n)  = 1] 

(cf.  Definition  6.1).  We  show  that  e(n)  is  negligible,  which  will  complete  the 
proof  that  / is  one-way. 

Consider  the  following  probabilistic  polynomial-time  adversary  A'  that  runs 
in  experiment  PrivK^)^,  (n): 

Adversary 

1.  Choose  random  mo,  mi  <—  {0,1}^”  and  output  these  two 
messages.  Receive  in  return  a challenge  ciphertext  c. 

2.  Run  A(c,mo)  to  obtain  (k' ,m' ,r').  If  f{k',m',r')  — (c,  mo), 
output*0;  else,  output  a random  bit. 

Let  us  analyze  the  probability  that  A'  outputs  0 when  6 = 0.  (Recall 
that  6 = 0 means  that  the  challenge  ciphertext  is  an  encryption  of  mo-)  Let 
invert^  denote  the  event  that  A outputs  (k',  m',  r')  with  f{k',  m',  r')  = (c,  mo). 
(When  invert^  occurs,  the  key  k'  output  by  A may  not  be  the  “correct  key”  — 
i.e.,  it  may  not  be  equal  to  the  key  k used  by  the  experiment  to  compute  the 
challenge  ciphertext  — but  this  does  not  matter  for  our  purposes.)  Observe 
that  when  6 = 0 the  event  invert^  occurs  with  probability  exactly  e(n).  This 
is  true  since  the  key  k used  to  compute  c is  chosen  uniformly  at  random,  as 
are  the  message  mo  and  the  random  coins  used  to  compute  c. 

When  invert^  occurs,  adversary  A'  outputs  0.  When  invert^  does  not  occur, 
A'  outputs  a random  bit.  So,  the  probability  that  A'  succeeds  (i.e.,  outputs 
the  correct  answer)  when  6 = 0 is  given  by 

Pr  [PrivKIf;^,^  = 1 I 6 = 0] 

= Pr  [invert^  ( 6 = 0]  -t-  ^ • (l  — Pr  [invert^  | 6 = 0]) 

= + ^ • (1  - £{n)) 


We  proceed  to  analyze  the  probability  that  A'  outputs  1 when  6=1.  As 

before,  we  begin  by  determining  the  probability  that  invert^  occurs.  At  first 
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sight,  it  may  appear  that  invert^  can  never  occur  when  6=1  since  then  c is 
an  encryption  of  m\  and  so,  seemingly,  A cannot  possibly  find  {k' , m',r')  with 
f{k',m\r')  = (c,  mo)-  This  is  not  true,  however,  since  for  some  c = Encfc(mi) 
there  may  exist  a different  key  k'  such  that  mo  = Decfc/(c);  indeed  perfectly- 
secret  encryption  schemes  always  have  this  property  for  every  mo  and  mi. 

Nevertheless,  we  show  that  when  6=1  the  event  invert,^  occurs  with  at  most 
negligible  probability.  To  see  this,  fix  a challenge  ciphertext  c = Encfc(mi) 
and  note  that  when  6=1  this  ciphertext  is  independent  of  mo-  Now,  there 
are  at  most  2”  possible  messages  — one  for  each  possible  value  of  the  key  — 
that  the  ciphertext  c can  correspond  to.  If  mo  happens  to  be  one  of  these 
possibilities,  then  we  cannot  bound  the  probability  that  invert^  occurs.  On 
the  other  hand,  if  mo  is  not  one  of  these  possibilities,  then  invert^  cannot 
possibly  occur  (because  in  this  case  (c,  mo)  is  not  in  the  range  of  /).  Since 
there  are  at  most  2”  possible  messages  corresponding  to  c,  and  mo  is  chosen 
uniformly  at  random  from  {0,1}^’^,  the  probability  that  invert^  occurs  is 
at  most  2^/2^”  = 2“^.  This,  in  turn,  means  that  the  probability  that  A' 
succeeds  when  6 = 1 is  given  by 


Pr  [PrivKn)'^,  (n)  = 1 | 6 = l]  = - • (l  - Pr  [invert^  1^=1]) 

> i • (1  - 2-") 

2 ■ 

Putting  the  above  together  along  with  the  fact  that  6 is  chosen  at  random, 
we  have: 

Pr  [PrivrnXn)  = 1] 

= i • Pr  [PrivKffXn)  = 1 | 6 = O]  + i • Pr  [PrivKff>(n)  = 1 | 6 = l] 


- 2 V2  2 J 2 

1 £(n)  1 

- 2 ~4  2^+2  • 


± _ 9-(^+i) 
2-  ^ 


Security  of  II  means  that  Pr  [PrivK^)^/ (n)„=  l]  < ^ + negl(n)  for  some  neg- 
ligible function  negl.  This  in  turn  implies  that  e(n)  is  negligible,  completing 
the  proof  that  / is  one-way.  I 


Message  authentication  codes  imply  one-way  functions.  It  is  also 
true  that  message  authentication  codes  satisfying  Definition  4.2  imply  the  ex- 
istence of  one-way  functions.  As  in  the  case  of  private-key  encryption,  the 
proof  of  this  fact  is  somewhat  subtle  because  unconditionally-secure  message 
authentication  codes  do  exist  when  there  is  an  a priori  bound  on  the  number 
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of  messages  that  will  be  authenticated.  Thus,  a proof  relies  on  the  fact  that 
Definition  4.2  requires  security  even  when  the  adversary  sees  the  authenti- 
cation tags  of  an  arbitrary  (polynomial)  number  of  messages.  The  proof  is 
rather  involved,  so  we  do  not  give  it  here. 

Discussion.  We  conclude  that  the  existence  of  one-way  functions  is  both  a 
necessary  and  sufficient  assumption  for  achieving  all  non-trivial  private-key 
cryptography.  In  other  words,  the  assumption  regarding  the  existence  of  one- 
way functions  is  minimal  as  far  as  private-key  cryptography  is  concerned.  This 
seems  not  to  be  the  case  for  public-key  encryption  that  we  will  study  later. 
Although  one-way  functions  are  necessary  also  for  public-key  encryption,  they 
appear  not  to  be  sufficient.  (Besides  the  fact  that  we  do  not  know  how  to 
construct  public-key  encryption  from  one-way  functions,  there  is  also  evidence 
that  such  constructions  are,  in  some  sense,  “unlikely  to  exist”.) 


6.8  A Digression  — Computational  Indistinguishability 

The  notion  of  computational  indistinguishability  is  central  to  the  theory  of 
cryptography.  It  underlies  much  of  what  we  have  seen  in  this  chapter,  and  is 
therefore  worthy  of  explicit  treatment.  Informally  speaking,  two  probability 
distributions  are  computationally  indistinguishable  if  no  efficient  algorithm 
can  tell  them  apart  (or  distinguish  them).  This  is  formalized  as  follows.  Let 
D be  some  probabilistic  polynomial-time  algorithm,  or  distinguisher.  Then, 
D is  provided  either  with  a sample  from  the  first  distribution  or  the  second 
one.  We  say  that  the  distributions  are  computationally  indistinguishable  if 
every  such  distinguisher  D outputs  1 with  almost  the  same  probability  upon 
receiving  a sample  from  the  first  or  second  distribution.  This  should  sound 
very  familiar,  and  is  in  fact  exactly  how  we  defined  pseudorandom  generators. 
Indeed,  a pseudorandom  generator  is  an  algorithm  that  generates  a distribu- 
tion that  is  computationally  indistinguishable  from  the  uniform  distribution 
over  strings  of  a certain  length.  Below,  we  will  formally  redefine  the  notion  of 
a pseudorandom  generator  in  this  way. 

The  actual  definition  of  computational  indistinguishability  refers  to  prob- 
ability ensembles.  These  are  infinite  sequences  of  probability  distributions 
(rather  than  being  a single  distribution) . This  formalisrn  is  a necessary  con- , 
sequence  of  the  asymptotic  approach,  because  distinguishing  two  fixed  finite 
distributions  is  “easy”  using  exhaustive  search. 

DEFINITION  6.33  Let  I be  a countable  set.  A probability  ensemble  in- 
dexed by  I is  a collection  of  random  variables  {Xi}i^j. 
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In  most  cases,  I is  either  the  natural  numbers  N or  an  efficiently  computable 
subset  of  {0, 1}*.  When  / = N,  an  ensemble  is  just  a sequence  of  random 
variables  Xi , X2 , and  the  random  variable  Xn  might  correspond  to  the 
output  of  some  cryptographic  scheme  when  the  security  parameter  is  set  to  n. 
In  this  case  Xn  would  typically  take  values  in  {0,  (i-e.,  bit-strings  of 

length  at  most  p{n))  for  some  polynomial  p. 

With  this  notation  in  hand,  we  can  now  formally  define  what  it  means  for 
two  ensembles  to  be  computationally  indistinguishable. 

DEFINITION  6.34  Two  probability  ensembles  X = {X^jneN  and 

Y = {ynjneN  are  computationally  indistinguishable,  denoted  X = Y , if  for 
every  probabilistic  polynomial-time  distinguisher  D there  exists  a negligible 
function  negl  such  that: 

|Pr|D(l",X„)  = 1]  -Pr(D(l",r„)  = 1]|  < negl(n), 

where  the  notation  D(l'^,Xn)  means  that  x is  chosen  according  to  distribu- 
tion Xn  and  then  D{l'^,x)  is  run. 

The  distinguisher  D is  given  the  unary  input  so  that  it  can  run  in  time 
polynomial  in  n.  This  is  important  when  the  output  of  Xn  and  Yn  may  be 
very  short. 

6.8.1  Pseudorandomness  and  Pseudorandom  Generators 

Pseudorandomness  is  just  a special  case  of  computational  indistinguishabil- 
ity.  Let  C/^(n)  denote  the  uniform  distribution  over  {0,  Then  we  have 

the  following  definition: 

DEFINITION  6.35  An  ensemble  X = {X^jneN  is  pseudorandom  if  for 
some  polynomial  the  ensemble  X is  computationally  indistinguishable  from 
the  ensemble  U = {U^n)}neN- 


This,  in  turn,  can  be  used  to  redefine  the  notion  of  a pseudorandom  gener- 
ator (cf.  Definition  3.14): 

DEFINITION  6.36  Leti{-)  be  a polynomial  and  let  G be  a ( deterministic) 
polynomial-time  algorithm  where  for  all  s it  holds  that  |G(s)|  = ^(l^l).  We 
say  that  G is  a pseudorandom  generator  if  the  following  two  conditions  hold: 

1.  (Expansion:)  For  every  n it  holds  that  £{n)  > n. 

2.  (Pseudorandomness:)  The  ensemble  {G(t/n)}n6N  is  pseudorandom. 
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Many  of  the  other  definitions  and  assumptions  in  this  book  can  also  be 
cast  as  special  cases  of  computational  indistinguishability.  Despite  the  fact 
that  this  involves  jumping  ahead,  we  give  one  example:  the  decisional  Diffie- 
Hellman  (DDH)  assumption  of  Section  7.3.2  can  be  formalized  by  stating 
that  the  ensemble  of  tuples  of  the  type  (G,  q,  g,  is  computationally 

indistinguishable  from  the  ensemble  of  tuples  of  the  type  {G,Qt  g,  g^ , g^ , g^), 
where  (G,q,g)  are  output  by  some  algorithm  ^(1”)  and  x,y,z  are  randomly 
chosen  from  Zg. 


6.8.2  Multiple  Samples 

An  important  general  theorem  regarding  computational  indistinguishabil- 
ity is  that  multiple  samples  of  computationally  indistinguishable  ensembles 
are  also  computationally  indistinguishable.  For  example,  consider  a pseu- 
dorandom generator  G with  expansion  factor  i.  Then,  the  output  of  p{n) 
independent  applications  of  G is  a pseudorandom  string  of  length  p{n)  ■ £{n). 
That  is,  {(G(si), . . . G(Sp(n)))}  is  computationally  indistinguishable  from  the 
uniform  distribution  over  {0,  where  si, . . . , Sp(^n)  ^'^e  independently 

chosen  random  strings  of  length  n.  We  prove  this  theorem  because  it  is  used 
very  often  in  cryptographic  proofs  (e.g.,  we  relied  on  it  in  the  proof  of  The- 
orem 6.25),  and  also  because  it  is  another  example  of  a hybrid  argument  (as 
seen  in  the  proof  of  Theorem  6.23). 

Say  an  ensemble  X = {A'n}neN  is  efficiently  sampleable  if  there  exists  a 
probabilistic  polynomial-time  algorithm  S such  that  for  every  n,  the  random 
variables  S'(l"^)  and  Xn  are  identically  distributed.  That  is,  the  algorithm  S is 
an  efficient  way  of  sampling  X.  Clearly,  the  ensemble  generated  by  a pseudo- 
random generator  is  efficiently  sampleable:  the  algorithm  S chooses  a random 
string  s of  length  n and  then  outputs  G(s).  We  now  prove  that  if  two  effi- 
ciently sampleable  ensembles  X and  Y are  computationally  indistinguishable, 
then  a polynomial  number  of  (independent)  samples  of  X are  computation- 
ally indistinguishable  from  a polynomial  number  of  (independent)  samples  of 
Y.  (The  theorem  does  not  hold  if  X and  T are  not  efficiently  sampleable.) 
We  denote  hy  X = {(x4^\  . . . , the  ensemble  generated  by  p{n) 

independent  samples  of  Xn’,  likewise  for  Y.  For- the  sake  of  clarity,  we  do  not 
explicitly  give  the  distinguisher  the  input  1^,  but  assume  that  it  knows  the 
value  of  the  security  parameter  and  can  run  in  time  polynomial  in  n. 

THEOREM  6.37  Let  X and  Y be  efficiently  sampleable  ensembles  that 
are  computationally  indistinguishable.  Then,  for  every  polynomial  p{-),  the 
ensemble  X = {(Xn^\  . . . , Wn^^”^^)}n6N  is  computationally  indistinguishable 
from  the  ensemble  Y — . . . , 
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PROOF  The  proof  is  by  reduction.  We  show  that  if  there  exists  a prob- 
abilistic polynomial-time  distinguisher  D that  distinguishes  X from  Y with 
non-negligible  success,  then  there  exists  a probabilistic  polynomial-time  dis- 
tinguisher D'  that  distinguishes  a single  sample  of  X from  a single  sample  of  Y 
with  non-negligible  success.  Formally,  fix  some  probabilistic  polynomial-time 
distinguisher  D and  define 

e{n)  U'  I Pr  [n(X4'>, . . . , = l]  - Pr  [n(y„(« = l]  . 

For  0 < i < p(n),  we  define  a hybrid  random  variable  IPf  as  a sequence 
containing  i independent  copies  of  Xn  followed  by  p(n)  — i independent  copies 
ofTn-  Fe., 


Notice  that  = Yn  and  = Xn-  The  main  idea  behind  the  hybrid 

argument  is  that  if  D can  distinguish  these  extreme  hybrids,  then  it  can  also 
distinguish  neighboring  hybrids  (even  though  it  was  not  “designed”  to  do  so). 
In  order  to  see  this,  and  before  we  proceed  to  the  formal  argument,  we  present 
the  basic  hybrid  analysis.  We  know  that: 

|Pr[D(V„)  = 1]  - Pr[D(F„)  = 1]| 

p(n)-l  p(n)-l 

= = 1]  - E = 1]  • 

i=0  i=0 

This  follows  from  the  fact  that  the  only  terms  remaining  in  this  telescopic 
sum  are  Pt[D{H^)  = 1]  and  = 1].  Therefore, 

£(n)  = |Pr[£l(X„)  = 1]  - Pr[£l(F„)  = 111 

p(n)  — 1 p(n)  — 1 

= Prp(Jf* ) = 1]  - = 1] 

i=0  , i=0 

< ^ |Pr|P(J?j)  = l]-Prp(/fi+')  = l]|. 

i=0 

Thus,  there  exists  an  i for  which 

|Pr[£>(J?i)  = 1]  - Prp(ff;+')  = 1]|  > e(n)/p(n). 

The  only  difference  between  and  occurs  in  the  {i  -H  l)st  sample  (in 

both  distributions,  the  first  i samples  are  from  Xn  and  the  last  n—i  — 1 samples 
are  from  Yn)-  So,  the  fact  that  D can  distinguish  between  and  can 

be  used  to  construct  a D'  that  distinguishes  between  a single  sample  of  X 

C 

and  a single  sample  of  T,  in  contradiction  to  the  assumption  that  X = Y.  In 

1 
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the  formal  proof  below,  D'  will  choose  i at  random  (because  it  does  not  know 
for  which  values  of  i it  holds  that  D distinguishes  well). 

Formally,  we  construct  a probabilistic  polynomial-time  distinguisher  D'  for 
a single  sample  of  Xn  and  Yn.  Upon  input  a single  sample  a,  D'  chooses  a 
random  i •«—  {0, . . . ,p(n)  — 1},  generates  the  vector  Hn  = (Xn  \ . . . , Xn\a, 
. . . , invokes  D on  the  vector  Hn-,  and  outputs  whatever  D 

does.^  Now,  if  a is  distributed  according  to  Xn,  then  Hn  is  distributed 
exactly  like  H'^^  (because  the  first  i -b  1 samples  are  from  Xn  and  the  last 
n — i — 1 from  Yn).  In  contrast,  if  a is  distributed  according  to  Yn,  then  Hn  is 
distributed  exactly  like  H^  (because  the  first  i samples  are  from  Xn  and  the 
last  n — i from  Yn).  This  argument  holds  because  the  samples  are  independent 
and  so  it  makes  no  difference  who  generates  the  samples  and  in  which  order. 
Now,  each  i is  chosen  with  probability  exactly  l/p{n).  Therefore, 


Fr[D'{Xn)  = 1] 


1 

p{n) 


p(n)-l 

Y,  Pr[i3(/fi+‘)  = 1] 

i=0 


and 


Pr(D'(y„)  = 1]  = ^ ■ '’E  = 1]' 


It  therefore  follows  that: 


|Pr[D'(X„)  = 1]  - Pr[Z)'(K„)  = 1]| 

|p(n)-l  P(n)-1 

E Pr[D(if‘+')  = 1]  - E Pr[i>(Hi)  = ll 


p{n) 

1 

p{n) 

1 

p(n) 


i=0  i=0 

Pr[T»(/f^(-))  = l]-Pr[T»(/fO)  = l] 

|Pr[T)(X„)  = 1]  - Pr[T>(F„)  = l]|  > 


g(^) 

p{n) 


C 

Since  X = Y,  we  know  that  there  exists  a negligible  function  negl  such  that 
|Pr[T>'(X„)  = 1]  — Pr[T)'(Fi)  = l]|  < negl(n).  Since  p is  polynomial,  this  im- 
plies that  e must  be  negligible.  I 


^The  efficient  sampleability  of  X and  Y is  needed  for  constructing  the  vector  Hn. 
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Exercises 

6.1  Show  that  the  addition  function  f(x,y)  — x + y (where  |x|  = |y|  and 
X and  y are  interpreted  as  natural  numbers)  is  not  one-way.  Likewise, 
show  that  / (x)  ^ x^  is  not  one-way. 

6.2  Prove  that  if  there  exists  a one-way  function,  then  there  exists  a one-way 
function  / such  that  for  every  n,  /(O")  = 0".  Provide  a full  (formal) 
proof  of  your  answer.  Note  that  this  demonstrates  that  for  infinitely 
many  values  x,  the  function  / is  easy  to  invert.  Why  does  this  not 
contradict  one-wayness? 

6.3  Show  that  if  there  exists  a one-way  function,  then  there  exists  a length- 
preserving one-way  function.  Provide  a full  proof  of  your  answer. 

Hint:  Let  / be  a one-way  function  and  let  p(-)  be  a polynomial  such 
that  I /(a:)  I < p(|a;|)  (justify  the  existence  of  such  a p).  Define  f'(x)  = 

. Prove  that  f'  is  length-preserving  and  one-way. 
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6.4  Prove  that  if  / is  a one-way  function,  then  g{x\,X2)  = {f{x\),X2)  where 
1 2^1 1 = \x2\  is  also  a one-way  function.  Observe  that  g fully  reveals  half 
of  its  input  bits,  but  is  nevertheless  still  one-way. 


6.5  Let  / be  a length-preserving  one-way  function,  and  let  he  be  a hard-core 
predicate  for  /.  Define  G as  G{x)  = (f{x),  hc(x)).  Is  G a pseudorandom 
generator?  Prove  your  answer. 

6.6  Prove  that  there  exist  one-way  functions  if  and  only  if  there  exist  families 
of  one-way  functions.  Discuss  why  your  proof  does  not  carry  over  to  the 
case  of  one-way  permutations. 

6.7  Let  / be  a one-way  function.  Is  g{x)  = /(/(x))  necessarily  a one-way 
function?  What  about  g{x)  = (/(x), /(/(x)))?  Prove  your  answers. 

6.8  This  exercise  is  for  students  who  have  taken  a course  in  complexity 
theory  or  are  otherwise  familiar  with  J\fV  completeness. 

(a)  Show  that  the  existence  of  one-way  functions  implies  V ^ MV. 

(b)  Assume  that  V ^ MV.  Show  that  there  exists  a function  / 
that  is:  (1)  computable  in  polynomial  time,  (2)  hard  to  invert 
in  the  worst  case  (i.e.,  for  all  probabilistic  polynomial-time  A, 

. Prx.^{o,i}”  [/(“^(/(^)))  = /(^)]  A 1)5  but  (3)  is  not  one-way. 

6.9  Let  X E {0, 1}’^  and  denote  x = xi  • • -Xn-  Prove  that  if  there  exists  a 
one-way  function,  then  there  exists  a one-way  function  / such  that  for 
every  i there  exists  an  algorithm  Ai  such  that 


= Xi]  > i ^ . 

x<— {0,1}”  2 Zn 


(This  exercise  demonstrates  that  it  is  not  possible  to  claim  that  every 
one-way  function  hides  at  least  one  specific  bit  of  the  input.) 


6.10  Show  that  if  a one-to-one  function  has  a hard-core  predicate,  then  it  is 
one-way. 


6.11  Complete  the  proof  of  Proposition  6.15  by  finding  the  Chernoff  bound 
and  applying  it  to  the  improved  procedure  of  A'  for  guessing  Xj. 

6.12  Prove  Claim  6.21. 

6.13  Let  G be  a pseudorandom  generator.  Prove  that 

G'(xil\  ■ ■ ■ \\x„)  = (G(xi)||G(a:2)||  ■ • ■ ||G(x„))  , 

where  jxi|  = • • • = (xn|  = 'n.,  is  a pseudorandom  generator. 

Hint:  Use  a hybrid  argument.  You  may  not  use  Theorem  6.37. 
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6.14  Prove  that  the  function  G'  defined  by 

G'(s)  = Go(C?oW),Go(Gi(s)),Gi(Go(s)),Gi(Gi(s)) 
is  a pseudorandom  generator  with  expansion  factor  £{n)  = An. 

6.15  Show  that  if  Construction  6.24  is  modified  so  that  the  adversary  is  al- 
lowed to  query  Pfc(x)  for  any  string  x G {0,1}^-”  (i.e.,  any  non-empty 
string  of  length  at  most  n),  then  the  construction  is  no  longer  a pseu- 
dorandom function. 

6.16  Prove  that  if  there  exists  a pseudorandom  function  F that,  using  a key 
of  length  n,  maps  p(n)-bit  inputs  to  single-bit  outputs,  then  there  exists 
a pseudorandom  fimction  that  maps  p(n)-bit  inputs  to  n-bit  outputs. 
(Here  n,  as  usual,  denotes  the  security  parameter.)  You  should  give  a 
direct  construction  that  does  not  rely  on  the  results  of  Section  6.7. 

Hint:  Use  a key  of  length  n?,  and  prove  your  construction  secure  using 
a hybrid  argument. 

6.17  Assuming  the  existence  of  a pseudorandom  permutation,  prove  that 
there  exists  a keyed  permutation  F that  is  pseudorandom  but  is  not 
strongly  pseudorandom. 

Hint:  Though  this  follows  from  Exercise  6.19,  a direct  proof  is  possible. 

6.18  Prove  that  a two-round  Feistel  network  using  pseudorandom  round  func- 
tions (as  in  Equation  (6.10))  is  not  pseudorandom. 

6.19  Prove  that  a three-round  Feistel  network  using  pseudorandom  round 
functions  (as  in  Equation  (6.11))  is  not  strongly  pseudorandom. 

Hint:  This  is  significantly  more  difficult  than  the  previous  exercise.  Use 
a distinguisher  that  makes  two  queries  to  the  permutation  and  one  query 
to  its  inverse. 

6.20  Let  G be  a pseudorandom  function  with  expansion  factor  £{n)  = n + 1. 
Prove  that  G is  a one-way  fimction. 

6.21  Let  X = {ArijneN  and  Y = {YijneN  be  computationally  indistinguish- 
able probability  ensembles. 

(a)  Prove  that  for  any  probabilistic  polynomial-time  algorithm  A it 
holds  that  {-4,(A'n)}„gi^  and  {^(Yi)}neN  are  computationally  in- 
distinguishable. 

(b)  Prove  that  the  above  may  no  longer  hold  if  A does  not  run  in 
polynomial  time. 
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Chapter  7 


Number  Theory  and  Cryptographic 
Hardness  Assumptions 


Modern  cryptography,  as  we  have  seen,  is  almost  always  based  on  an  as- 
sumption that  some  problem  cannot  be  solved  in  polynomial  time.  (See  Sec- 
tion 1.4.2  for  a discussion  of  this  point.)  In  Chapters  3 and  4,  for  example,  we 
saw  that  efficient  private-key  cryptography  — both  encryption  and  message 
authentication  — can  be  based  on  the  assumption  that  pseudorandom  per- 
mutations exist.  Recall  that,  roughly  speaking,  this  means  that  there  exists 
some  keyed  permutation  F for  which  it  is  impossible  to  distinguish  in  poly- 
nomial time  between  interactions  with  Fk  (for  a randomly-chosen  key  k)  and 
interactions  with  a truly  random  permutation. 

On  the  f?ice  of  it,  the  assumption  that  pseudorandom  permutations  exist 
seems  quite  strong  and  unnatural,  and  it  is  reasonable  to  ask  whether  this 
assumption  is  likely  to  be  true  or  whether  there  is  any  evidence  to  support 
it.  In  Chapter  5 we  explored  how  pseudorandom  permutations  (i.e.,  block 
ciphers)  are  constructed  in  practice.  The  resistance  of  these  constructions  to 
attack  at  least  serves  as  an  indication  that  the  existence  of  pseudorandom 
permutations  is  plausible.  Still,  it  is  difficult  to  imagine  looking  at  some  F 
and  somehow  being  convinced  on  any  intuitive  level  that  it  is  a pseudorandom 
permutation.  Moreover,  the  current  state  of  our  theory  is  such  that  we  do 
not  know  how  to  prove  the  pseudorandomness  of  any  of  the  existing  practical 
constructions  relative  to  any  “more  reasonable”  assumption.  All  in  all,  this  is 
a not  entirely  satisfying  state  of  affairs. 

In  contrast,  as  mentioned  in  Chapter  3 (and  investigated  in  detail  in  Chap- 
ter 6)  it  is  possible  to  prove  that  pseudorandom  permutations  exist  based  on 
the  much  milder  assumption  that  one-way  functions  exist.  (Informally,  a func- 
tion is  one-way  if  it  is  easy  to  compute  but  hard  to  invert;  see  Section  7.4.1.) 
Apart  from  a brief  discussion  in  Section  6.1.2,  however,  we  have  not  yet  seen 
any  concrete  examples  of  functions  believed  to  be  one-way. 

One  of  the  goals  of  this  chapter  is  to  introduce  various  problems  that  are 
believed  to  be  “hard” , and  to  present  the  conjectured  one-way  functions  that 
can  be  based  on  these  problems.^  The  second  goal  of  this  chapter  is  to  develop 


^Recall  that  we  currently  do  not  know  how  to  prove  that  one-way  functions  exist,  and  so 
the  best  we  can  do  is  to  base  one-way  functions  on  assumptions  regarding  the  hardness  of 
certain  problems. 
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the  basis  needed  for  studying  public-key  cryptography  (the  next  main  topic 
of  this  book). 

All  the  examples  we  explore  will  be  number- theoretic  in  nature,  and  we 
therefore  begin  with  a short  introduction  to  number  theory  and  group  the- 
ory. Because  we  are  additionally  interested  in  problems  that  can  be  solved 
efficiently  (even  a one-way  function  needs  to  be  easy  to  compute  in  one  di- 
rection, and  a cryptographic  scheme  must  admit  efficient  algorithms  for  the 
honest  parties),  we  also  initiate  a study  of  algorithmic  number  theory.  Thus, 
even  the  reader  who  is  familiar  with  number  theory  or  group  theory  is  en- 
couraged to  read  this  chapter,  since  algorithmic  aspects  are  typically  ignored 
in  a purely  mathematical  treatment  of  these  topics. 

In  the  context  of  algorithmic  number  theory,  a brief  word  is  in  order  re- 
garding what  is  meant  by  “polynomial  time” . An  algorithm’s  running  time 
is  always  measured  as  a function  of  the  length(s)  of  its  input  (s).  (If  the  algo- 
rithm is  given  as  additional  input  a security  parameter  1”  then  the  total  input 
length  is  increased  by  n.)  This  means,  for  example,  that  the  running  time  of 
an  algorithm  taking  as  input  an  integer  N is  measured  in  terms  of  ||A^||,  the 
length  of  the  binary  representation  of  N,  and  not  in  terms  of  N itself.  An  algo- 
rithm running  in  time  Q{N)  on  input  N is  thus  actually  an  exponential-time 
algorithm  when  measured  in  terms  of  its  input  length  ||A^||  — 0(log  A^). 

The  material  in  this  chapter  is  not  intended  to  be  a comprehensive  survey 
of  number  theory,  but  is  intended  rather  to  present  the  minimal  amount  of 
material  needed  for  the  cryptographic  applications  discussed  in  the  remainder 
of  the  book.  Accordingly,  our  discussion  of  number  theory  is  broken  into  two; 
the  material  covered  in  this  chapter  is  sufficient  for  understanding  Chapters  8- 
10,  12,  and  13.  In  Chapter  11,  additional  number  theory  is  developed  that  is 
used  only  within  that  chapter. 

The  reader  may  be  wondering  why  there  was  iio  discussion  of  number  theory 
thus  far,  and  why  it  is  suddenly  needed  now.  There  are  two  reasons  for  placing 
number  theory  at  this  point  of  the  book: 

1.  This  chapter  can  be  viewed  as  a culmination  of  the  “top  down”  approach 
we  have  taken  in  developing  private-key  cryptography  in  Chapters  3—6. 
That  is,  we  have  shown  in  Chapters  3 and  4 that  all  of  private-key 
cryptography  can  be  based  on  pseudorandom  functions  and  permuta- 
tions. The  latter  can  be  instantiated  in  practice  using  block  ciphers, 
as  explored  in  Chapter  5,  but  can  also  be  constructed  in  a rigorous 
and  provably-sound  manner  from  any  one-way  function,  as  shown  in 
Chapter  6.  Here,  we  take  this  one  step  further  and  show  how  one-way 
functions  can  be  based  on  certain  hard  mathematical  problems.  We 
summarize  this  top-down  approach  in  Figure  7.1. 

2.  A second  motivation  for  studying  this  material  illustrates  a difference 
between  the  private-key  setting  we  have  been  concerned  with  until  now, 
and  the  public-key  setting  with  which  we  will  be  concerned  in  the  re- 
mainder of  the  book.  (The  public-key  setting  will  be  introduced  in 
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Chapter  3 


Chapter  5 


Chapter  4 


Chapter  6 


Chapter  7 


FIGURE  7.1:  The  world  of  private-key  cryptography:  a top-down 

approach  (arrows  represent  implication). 


Chapter  9.)  Namely,  in  the  private-key  setting  there  exist  suitable  prim- 
itives (i.e:,  hash  functions  and  pseudorandom  generators,  functions,  and 
permutations)  for  constructing  schemes,  and  these  primitives  can  be 
constructed  efficiently  - — at  least  in  a heuristic  sense'—  without  invok- 
ing any  number  theory.  In  the  public-key  setting,  however,  all  known 
efficient  constructions  rely  on  hard  mathematical  problems  from  algo- 
rithmic number  theory.  (We  will  also  study  constructions  that  do  not 
rely  directly  on  number  theory.  Unfortunately,  however,  these  are  far 
less  efficient.)  ' 

The  material  in  this  chapter  thus  serves  as  both  a culmination  of,  what  we 
have  studied  so  far  in  private-key  cryptography,  as  well  as  the  foundation 
upon  which  public-key  cryptography  stands. 


7.1  Preliminaries  and  Basic  Group  Theory 

We  begin  with  a review  of  prime  numbers  and  basic  modular  arithmetic. 
Even  the  reader  who  has  seen  these  topics  before  should  skim  the  next  two 
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sections  since  some  of  the  material  may  be  new  and  we  include  proofs  for  most 
of  the  stated  results.  (Any  omitted  proofs  can  be  found  in  standard  algebra 
texts;  see  the  references  at  the  end  of  this  chapter.) 


7.1.1  Primes  and  Divisibility 

The  set  of  integers  is  denoted  by  Z.  For  a,  6 G Z,  we  say  that  a divides  b, 
written  a\b,  if  there  exists  an  integer  c such  that  ac  = b.  If  a does  not  divide 
b,  we  write  a/b.  (We  are  primarily  interested  in  the  case  where  a,  b and  c 
are  all  positive,  though  the  definition  makes  sense  even  when  one  or  more  of 
these  is  negative  or  zero.)  A simple  observation  is  that  if  a | 6 and  a \ c then 
a I (X6  + Yc)  for  any  X,  Y 6 Z. 

If  a I 6 and  a is  positive,  we  call  a a divisor  of  6.  If  in  addition  a ^ {1,  then 
a is  called  a non-trivial  divisor,  or  a factor,  of  6.  A positive  integer  p > 1 is 
prime  if  it  has  no  factors;  i.e.,  it  has  only  two  divisors:  1 and  itself.  A positive 
integer  greater  than  1 that  is  liot  prime  is  called  composite.  By  convention, 
T’  is  neither  prime  nor  composite. 

A fundamental  theorem  of  arithmetic  is'  that  every  integer  greater  than  1 
can  be  expressed  uniquely  (up  to  ordering)  as  a product  of  primes.  That  is, 
any  positive  integer  N > 1 can  be  written  &s  N = YiiPTi  wh^re  the  {pi} 
are  distinct  primes  and  > 1 for  all  i;  furthermore,  the  {pi}  and  {e*}  are 
uniquely  determined  up  to  ordering. 

We  are  familiar  with  the  process  of  division  with  remainder  from  elementary 
school.  The  following  proposition  formalizes  this  notion. 

PROPOSITION  7.1  Let  a be  an  integer  and  b a positive  integer.  Then 
there  exist  unique  integers  q,  r for  which  a = qb-\-  r and  0 <r  < b. 

Furthermore,  given  integers  a and  b as  in  the  proposition,  it  is  possible  to 
compute  q and  r in  polynomial  time.  See  Appendix  B.l. 

The  greatest  common  divisor  of  two  non-negative  integers  a,  b,  written 
gcd(a,  6),  is  the  largest  integer  c such  that  c | a and  c | 6.  (We  leave  gcd(0, 0) 
undefined.)  The  notion  of  greatest  common  divisor  also  makes  sense  when 
either  or  both  of  a,  b are  negative  but  we  will  neyer  need  this;  therefore,  when 
we  write  gcd(a,  6)  we  always  assume  that  a,  6 > 0.  Note  that  gcd(6,  0)  = 
gcd(0,  &)  = 6;  also,  if  p is  prime  then  gcd(a,p)  is  either  equal  to  1 or  p.  If 
gcd(a,  6)  = 1 we  say  that  a and  b are  relatively  prime. 

The  following  is  a useful  result: 


PROPOSITION  7.2  Let  a,  b be  positive  integers.  Then  there  exist  in- 
tegers X,Y  such  that  Xa  + Yb  = gcd(a,  6).  Furthermore,  gcd(a,  6)  is  the 
smallest  positive  integer  that  can  be  expressed  in  this  way. 
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PROOF  Consider  the  set  I = {Xa  + Yb  \ X,  Y e Z}.  Note  that  a,b  ^ I, 
and  so  I certainly  contains  some  positive  integers.  Let  d be  the  smallest 
positive  integer  in  I.  We  show  that  d = gcd(a,  6);  since  d can  be  written  as 
d = Xa  + Yb  for  some  X,Y  E "Z  (because  d E I),  this  proves  the  theorem. 

To  show  this,  we  must  prove  that  d \ a and  d | b,  and  that  d is  the  largest 
integer  with  this  property.  In  fact,  we  can  show  that  d divides  every  element 
in  I.  To  see  this,  take  an  arbitrary  c E I and  write  c = X'a  + Y'b  with 
X',Y'  e Z.  Using  division  with  remainder  (Proposition  7.1)  we  have  that 
c = qd  + r with  q,  r integers  and  0 < r < d.  Then 

r = c-qd  = X'a  + Y'b-  q{Xa  + Yb)  = {X'  - qX)a  + {Y'  - qY)b  G I. 

If  r 7^  0,  this  contradicts  our  choice  of  d as  the  smallest  positive  integer  in  I 
(because  r < d).  So,  r = 0 and  hence  d \ c.  This  shows  that  d divides  every 
element  of  I. 

Since  a E I and  b E I,  the  above  shows  that  d | a and  d \ b and  so  d is  a 
common  divisor  of  a and  b.  It  remains  to  show  that  it  is  the  largest  common 
divisor.  Assume  there  exists  an  integer  d'  > d such  that  d'  | a and  d'  \ b.  Then 
by  the  observation  made  earlier,  d'  \ Xa  + Yb.  Since  the  latter  is  equal  to  d, 
this  means  d'  | d.  But  this  is  impossible  if  d'  is  larger  than  d.  We  conclude 
that  d is  the  largest  integer  dividing  both  a and  b,  and  hence  d = gcd(a,  b)  . 


Given  a and  6,  the  Euclidean  algorithm  can  be  used  to  compute  gcd(a,  b) 
in  polynomial  time.  The  extended  Euclidean  algorithm  can  be  used  to  com- 
pute A,  y (as  in  the  above  proposition)  in  polynomial  time  as  well.  See 
Appendix  B.1.2  for  details. 

The  preceding  proposition  is  very  useful  in  proving  additional  results- about 
divisibility.  We  show  two  examples  now. 

PROPOSITION  7.3  If  c\ab  and  gcd(a,  c)  = 1,  then  c\b.  In  particular, 
if  p is  prime  and  p \ ab  then  either  p\a  or  p\b. 

PROOF  Since  c | ab  we  can  write  7c  = ab  for  some  integer  7-  -If  gcd(a,  c)  = 
1 then,  by  the  previous  proposition,  there  exist  integers  X,  Y such  that  1 = 
Xa  + Yc.  Multiplying  both  sides  by  b,  we  obtain 

b = Xab  + Ycb  = X-fc  + Ycb  = c-  (X^  + Yb). 

Since  (X'j  + Yb)  is  an  integer,  it  follows  that  c\b. 

The  second  part  of  the  proposition  follows  from  the  fact  that  if  p/a  then 
gcd(a,p)  = 1.  ■ 
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PROPOSITION  7.4  If  p\N , q \ N,  and  gcd(p,  q)  = 1,  then  pq\N . 

PROOF  Write  pa  = N,  qb  = N,  and  (using  Proposition  7.2)  1 = Xp  + Yq, 
where  a,b,X,Y  are  all  integers.  Multiplying  both  sides  of  the  last  equation 
by  N,  we  obtain 

N = XpN  + YqN  = Xpqb  + Y qpa  = pq{Xb  + Fa), 
showing  that  pq\N . I 


7.1.2  Modular  Arithmetic 

Let  a,b,N  G Z with  N > 1.  We  use  the  notation  [a  mod  N]  to  denote  the 
remainder  of  a upon  division  by  N.  In  more  detail:  by  Proposition  7.1  there 
exist  unique  q,  r with  a = qN  + r and  0 < r < A,  and  we  define  [a  mod  N]  to 
be  equal  to  this  r.  Note  therefore  that  0 < [a  mod  N]  < N.  We  refer  to  the 
process  of  mapping  a to  [a  mod  N\  as  reduction  modulo  N. 

We  say  that  a and  b are  congruent  modulo  N,  written  a = b mod  N,  if 
[a  mod  N]  = [6  mod  A],  i.e.,  the  remainder  when  a is  divided  by  N is  the 
same  as  the  remainder  when  b is  divided  by  N.  Note  that  a = b mod  N if  and 
only  if  N \ (a  — b).  By  way  of  notation,  in  an  expression  such  as 

a = b=  c=  --  - = z mod  N, 

the  understanding  is  that  every  equal  sign  in  this  sequence  (and  not  just  the 
last)  refers  to  congruence  modulo  N . 

Note  that  a = [b  mod  N]  implies  a = b mod  N,  but  not  vice  versa.  (On 
the  other  hand,  [a  mod  N]  = [6  mod  A]  if  and  only  if  a = 6 mod  N.)  For 
example,  36  = 21  mod  15  but  36  ^ [21  mod  15]  = 6. 

Congruence  modulo  N is  an  equivalence  relation;  i.e.,  it  is  reflexive  (a  = 
a mod  N for  all  a),  symmetric  {a  = b mod  N implies  b = a mod  N),  and 
transitive  (if  a = b mod  N and  b = c mod  N then  a = c mod  N).  Congru- 
ence modulo  N also  obeys  the  standard  rules  of  arithmetic  with  respect  to 
addition,  subtraction,  and  multiplication;  so,  for  example,  if  a = a'  mod  N 
and  b = b'  mod  N then  (a  + b)  = {a'  + b')  mod  N and  ab  = a'b'  mod  N . A 
consequence  is  that  we  can  “reduce  and  then  add/multiply”  instead  of  hav- 
ing to  “add/multiply  and  then  reduce,”  a feature  which  can  often  be  used  to 
simplify  calculations. 


Example  7.5 

Let  us  compute  [1093028  • 190301  mod  100].  Since  1093028  = 28  mod  100  and 
190301  = 1 mod  100,  we  have 

1093028  • 190301  = [1093028  mod  100]  • [190301  mod  100]  mod  100 
= 28  • 1 = 28  mod  100. 


Number  Theory  and  Cryptographie  Hardness  Assumptions 


249 


The  alternative  way  of  calculating  the  answer  (namely,  computing  the  product 
1093028  • 190301  and  then  reducing  the  answer  modulo  100)  is  much  more 
time-consuming.  <0 

Congruence  modulo  N does  not  (in  general)  respect  division.  That  is,  if 
a = a'  mod  N and  b = b'  mod  N then  it  is  not  necessarily  true  that  afb  = 
a' /b'  mod  iV;  in  fact,  the  expression  “a/ 6 mod  A^”  is  not  always  well-defined. 
As  a specific  example  that  often  causes  confusion,  ab  = cb  mod  N does  not 
necessarily  imply  that  a = c mod  N. 


Example  7.6 

Take  N = 24.  Then  3 • 2 = 6 = 15  • 2 mod  24,  but  3 7^  15  mod  24.  0 

In  certain  cases,  however,  we  can  define  a meaningful  nption  of  division.  If 
for  a given  integer  b there  exists  an  integer  b~^  such  that  bb~^  = 1 mod  N,  we 
say  that  b~^  is  a (multiplicative)  inverse  of  b modulo  N and  call  b invertible 
modulo  N . Clearly,  ‘0’  is  never  invertible.  It  is  also  not  difficult  to  show 
that  if  [3  is  a multiplicative  inverse  of  b modulo  N then  so  is  [(3  mod  N]. 
Furthermore,  if  (3'  is  another  multiplicative  inverse  of  b then  [j3  mod  N]  = 
[(3'  mod  N].  When  b is  invertible  we  can  therefore  simply  let  b~^  denote  the 
unique  multiplicative  inverse  of  b that  lies  in  the  range  {1,...,A’  — 1}. 

When  b is  invertible  modulo  N we  define  division  by  b modulo  N as  mul- 
tiplication by  b~^  modulo  N (i.e.,  we  define  a/b  ab~^  mod  N).  We  stress 
that  division  by  b is  only  defined  when  b is  invertible.  If  ab  = cb  mod  N 
and  b is  invertible,  then  we  may  divide  each  side  of  the  equation  by  b (or, 
equivalently,  multiply  each  side  by  b~^)  to  obtain 

{ab)  • b~^  = {cb)  ■ b~^  mod  N a = c mod  N. 

We  see  that  in  this  case,  division  works  “as  expected.”  Invertible  integers  are 
therefore  “nicer”  to  work  with,  in  some  sense. 

The  natural  question  is:  which  integers  are  invertible  modulo  a given  mod- 
ulus N?  We  can  fully  answer  this  question  using  Proposition  7.2: 

PROPOSITION  7.7  Let  a,N  be  integers,  with  N > 1.  Then  a is  invert- 
ible modulo  N if  and  only  if  gcd{a,  N)  = 1. 

PROOF  Assume  a is  invertible  modulo  N,  and  let  b denote  its  inverse. 
Note  that  a 7^  0 since  0-6  = 0 mod  N regardless  of  the  value  of  6.  Since 
a6  = 1 mod  N,  the  definition  of  congruence  modulo  N implies  that  a6— 1 = cN 
for  some  c E Z.  Equivalently,  ba  — cN,=  1.  Since,  by  Proposition  7.2, 
gcd(o,  A”)  is  the  smallest  positive  integer  that  can  be  expressed  in  this  way, 
and  therp  is  no  integer  smaller  than  1,  this  implies  that  gcd(a.  A)  = 1. 
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Conversely,  if  gcd(a,  N)  — 1 then  by  Proposition  7.2  there  exist  integers 
X,  Y such  that  Xa  + YN  — 1 . Reducing  each  side  of  this  equation  modulo  N 
gives  Xa  — 1 mod  N,  and  we  see  that  [X  mod  A^]  is  a multiplicative  inverse 
of  a.  I 


Example  7.8 

Let  a = 11  and  N = 17.  Then  (—3)  •11  + 2-17  = 1,  and  so  14  = [—3  mod  17] 
is  the  inverse  of  11.  One  can  verify  that  14  • 11  = 1 mod  17. 

Addition,  subtraction,  multiplication,  and  computation  of  inverses  (when 
they  exist)  modulo  N can  all  be  carried  out  in  polynomial  time;  see  Ap- 
pendix B.2.  Exponentiation  (i.e.,  computing  [a^  mod  A”]  for  6 > 0 an  integer) 
can  also  be  computed  in  polynomial  time;  see  Appendix  B.2.3. 

7.1.3  Groups 

Let  G be  a set.  A binary  operation  o on  G is  simply  a function  o(-,.) 
that  takes  as  input  two  elements  of  G.  If  p,  G G then  instead  of  using  the 
cumbersome  notation  o{g,h),  we  write  g o h. 

We  now  introduce  the  important  notion  of  a group. 

DEFINITION  7.9  A group  is  a set  G along  with  a binary  operation  o for 
whieh  the  following  eonditions  hold: 

• (Closure:)  For  all  g,h  goh^G. 

• (Existence  of  an  Identity:)  There  exists  an  identity  e 6 G sueh  that  for 
all  g^G,  eog— g — goe. 

• (Existence  of  Inverses:)  FOr  all  5 G G there  exists  an  element  h E G 
such  that  goh  — e — hog.  Such  an  h is  called  an  inverse  of  g. 

• (Associativity:)  For  all  gi,g2,gs  e G,  (^1  o ^2)  ° 93  ^ 9i  ° {92  ° 9s)- 

When  G has  a finite  number  of  elements,  we  say  G is  a finite  group  and  let 
|G|  denote  the  order  of  the  yroup;  that  is,  the  number  of  elements  in  G. 

A group  G with  operation  o is  abelian  if  the  following  holds: 

• (Commutativity:)  For  all  g,h  G G,  go  h — ho  g. 

When  the  binary  operation  is  understood,  we  simply  call  the  set  G a group. 

We  will  always  deal  with  finite,  abelian  groups.  We  will  be  careful  to  specify, 
however,  when  a result  requires  these  assumptions. 

Associativity  implies  that  we  do  not  need  to  include  parentheses  when  writ- 
ing long  expressions;  that  is,  the  notation  gi  o p2  o ■ ■ ■ o g^  is  unambiguous 
since  it  does  not  matter  in  what  order  we  evaluate  the  operation  o. 
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One  can  show  that  the  identity  element  in  a group  G is  unique,  and  so  we 
can  therefore  refer  to  the  identity  of  a group.  One  can  also  show  that  each 
element  ^ of  a group  has  a unique  inverse.  See  Exercise  7.1. 

If  G is  a group,  a set  El  C G is  a subgroup  o/  G if  El  itself  forms  a group 
under  the  same  operation  associated  with  G.  To  check  that  El  is  a subgroup, 
we  need  to  verify  closure,  existence  of  identity  and  inverses,  and  associativity 
as  per  Definition  7.9.  (Actually,  associativity  — as  well  as  commutativity  if 
G is  abelian  — is  inherited  automatically  from  G.)  Every  group  G always  has 
the  trivial  subgroups  G and  {1}.  We  call  El  a strict  subgroup  of  G if  El  ^ G. 

In  general,  we  will  not  use  the  notation  o to  denote  the  group  operation. 
Instead,  we  will  use  either  additive  notation  or  multiplicative  notation  de- 
pending on  the  group  under  discussion.  When  using  additive  notation,  the 
group  operation  applied  to  two  elements  g,h  is  denoted  g + h-,  the  identity 
is  denoted  by  ‘O’,  and  the  inverse  of  an  element  g is  denoted  by  —g.  When 
using  multiplicative  notation,  the  group  operation  applied  to  g,h  is  denoted 
hy  g ■ h or  simply  gh',  the  identity  is  denoted  by  ‘1’,  and  the  inverse  of  an 
element  g is  denoted  by  As  in  the  case  of  multiplication  modulo  N, 

we  also  define  division  by  ^ as  multiplication  by  g~^  (i-e.,  h/g  is  defined  to 
mean  hg~^).  When  we  state  general  results,  we  will  always  use  multiplicative 
notation.  This  does  not  imply  that  the  group  operation  corresponds  to  integer 
addition  or  multiplication.  This  merely  serves  as  useful  notation. 

At  this  point,  it  may  Be  helpful  to  see  some  examples. 

Example  7.10  

A set  may  be  a group  under  one  operation,  but  not  another.  For  example, 
the  set  of  integers  Z is  an  abelian  group  under  addition:  the  identity  is  the 
element  ‘O’,  and  every  integer  g has  inverse  —g.  On  the  other  hand,  it  is  not 
a group  under  multiplication  since,  for  example,  the  integer  ‘2’  does  not  have 
a multiplicative  inverse  in  the  integers.  0 


Example  7.11 

The  set  of  real  numbers  M is  not  a group  under  multiplication,  since  ‘0’  does 
not  have  a multiplicative  inverse.  The  set  of  non- zero  real  numbers,  however, 
is  an  abelian  group  under  multiplication  with  identity  ‘1’.  0 

The  following  example  introduces  the  group  Z ^ that  we  will  use  frequently. 
Example  7.12 

Let  > 2 be  an  integer.  The  set  {0, . . .,N  — 1}  with  respect  to  addition 

modulo  N (i.e.,  where  a -f-  6 [a  -f-  6 mod  A^])  is  an  abelian  group  of  order  N: 
Closure  is  obvious;  associativity  and  commutativity  follow  from  the  fact  that 
the  integers  satisfy  these  properties;  the  identity  is  0;  and,  since  a-\-{N  — a)  — 
0 mod  N,  it  follows  that  the  inverse  of  any  element  a is  [(A^  — a)  mod  A^].  We 
denote  this  group  by  . (We  will  also  use  to  denote  the  set  {0, . . . , A^  — 1 } 
without  regard  to  any  particular  group  operation. ) 0 
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We  end  this  section  with  an  easy  lemma  that  formalizes  an  obvious  “can- 
celation law”  for  groups. 

LEMMA  7.13  Let  G be  a group  and  a,b,c  G G.  If  ac  = be,  then  a = b. 
In  particular,  if  ac  = c then  a is  the  identity  inG.- 

PROOF  We  know  ae  = be.  Multiplying  both  sides  by  the  unique  inverse 
c~^  of  c,  we  obtain  a = b.  In  detail: 

ac^bc  {ac)c~^  = {be)  ■ a(cc~^)  = 6(cc“^)  o- 1 = 6-1 

^ a = b. 


Compare  the  above  proof  to  the  discussion  (preceding  Proposition  7.7)  re- 
garding a cancelation  law  for  division  modulo  N.  As  indicated  by  the  sim- 
ilarity, the  invertible  elements  modulo  N form  a group  under  multiplication 
modulo  N.  We  will  return  to  this  example  in  more  detail  shortly. 

Group  Exponentiation 

It  is  often  useful  to  be  able  to  describe  the  group  operation  applied  m times 
to  a fixed  element  g,  where  m is  a positive  integer.  When  using  additive 
notation,  we  express  this  as  m • ^ or  mg-,  that  is, 

def 

mg  = m • g = g + .-j-\-g. 

m times 

Note  that  m is  an  integer,  while  ^ is  a group  element.  So  mg  does  not  represent 
the  group  operation  applied  to  m and  g (indeed,  we  are  working  in  a group 
where  the  group  operation  is  written  additively).  Thankfully,  however,  the 
notation  “behaves  as  it  should” ; so,  for  example,  if  ^ G G and  m,  m'  are 
integers  then  (mg)  + (m'g)  - {m  + m')g,  m{m'g)  - {mm')g,  aiad  \ - g = g.  In 
an  abelian  group  G with  g,h  E G,  {mg)  + {mh)  = m{g  -|-  h). 

When  using  multiplicative  notation,  we  express  application  of  the  group 
operation  m times  to  an  element  g by  g'^ . That  is. 


m times 


The  familiar  rules  of  exponentiation  hold:  g'^  ■ g'^'  = g'rr>-+m' ^ _ gmm  ^ 

and  g^  = g.  Also,  if  G is  an  abelian  group  and  g,h  ^ G then  g'^  ■ h^  = {gh)'^. 
Note  that  all  these  results  are  simply  “translations”  of  the  results  stated  in 
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the  previous  paragraph  to  the  setting  of  groups  written  multiplicatively  rather 
than  additively. 

The  above  notation  is  extended  in  the  natural  way  to  the  case  when  m is  zero 
or  a negative  integer.  (In  general,  we  leave  g'^  undefined  if  m is  not  an  integer.) 

When  using  additive  notation  we  have  0 - ^ 0 and  {—m)  m ■ {—g)  for  m 

a positive  integer.  (Note  that  in  the  equation  ‘0-^  = 0’  the  ‘0’  on  the  left-hand 
side  is  the  integer  0 while  the  ‘0’  on  the  right-hand  side  is  the  identity  element 
in  the  group.)  As  one  would  expect,  it  can  be  shown  that  (— m)  • g = —{mg). 

When  using  multiplicative  notation,  g^  1 and  g~'^  Again,  as 

expected,  one  can  show  that  g~^  = {g^)~^  ■ 

Let  g G G and  6 > 0 be  an  integer.  Then  the  exponentiation  g^  can  be 
computed  using  a polynomial  number  of  underlying  group  operations  in  G. 
Thus,  if  the  group  operation  can  be  computed  in  polynomial  time  then  so  can 
exponentiation.  This  is  discussed  in  Appendix  B.2.3. 

We  now  know  enough  to  prove  the  following  remarkable  result: 

THEOREM  7.14  Let  G be  a finite  group  with  m = |G|,  the  order  of  the 
group.  Then  for  any  element  g ^ G,  g'^  = 1 . 

PROOF  We  prove  the  theorem  only  when  G is  abelian  (though  it  holds 
for  any  finite  group).  Fix  arbitrary  ^ 6 G,  and  let  ^i, ... , gm  be  the  elements 
of  G.  We  claim  that 

9i  ■92---gm  = {991)  • {992)  ■ ■ ■ {99m)- 

To  see  this,  note  that  991  = 99 j implies  gi  — gj  by  Lemma  7.13.  So  each  of  the 
m elements  in  parentheses  on  the  right-hand  side  of  the  displayed  equation  is 
distinct.  Because  there  are  exactly  m elements  in  G,  the  m elements  being 
multiplied  together  on  the  right-hand  side  are  simply  all  elements  of  G in 
some  permuted  order.  Since  G is  abelian  the  order  in  which  all  elements  of 
the  group  are  multiplied  does  not  matter,  and  so  the  right-hand  side  is  equal 
to  the  left-hand  side. 

Again  using  the  fact  that  G is  abelian,  we  can  “pull  out”  all  occurrences  of 
q and  obtain 

■ 9l-  92---9m  = {ggi)  ■ {gg2)  • • • {g9m)  = 9'^  ■ {91  ■ 92---  9m)- 
Appealing  once  again  to  Lemma  7.13,  this  implies  g'^  = 1.  I 

An  important  corollary  of  the  above  is  that  we  can  work  “modulo  the  group 
order  in  the  exponent” : 

COROLLARY  7.15  Let  G be  a finite  group  with  m = |G|  > 1.  Then  for 
any  ^ E G and  any  integer  i,  we  have  g^  = g^^ 
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PROOF  Say  i — qm  + r,  where  q,  r are  integers  and  r = [i  mod  m].  Using 
Theorem  7.14, 

gi  ^ gim+r  ^ g,m  . . p-  = . g-  = g^ ^ 


as  claimed. 


Exmnple  7.16 

Written  additively,  the  above  corollary  says  that  if  ^ is  an  element  in  a group 
of  order  m,  then  i ■ g —[i  mod  m\-  g.  As  an  example,  consider  the  group  Z15 
of  order  m = 15,  and  take  ^ = 11.  The  corollary  says  that 

152  . 11  = [152  mod  15]  • 11  = 2 • 11  = 11  + 11  = 22  = 7 mod  15. 

The  above  exactly  agrees  with  the  fact  (cf.  Example  7.5)  that  we  can  “reduce 
and  then  multiply”  rather  than  having  to  “multiply  and  then  reduce.”  0 

Another  corollary  that  will  be  extremely  useful  for  cryptographic  applica- 
tions is  the  following; 


COROLLARY  7.17  Let  G be  a finite  group  with  m — |G|  > 1.  Let 
e > 0 be  an  integer,  and  define  the  funetion  fe  '■  G G by  fe{q)  — 9^- 
// gcd(e,  m)  = 1,  then  fe  is  a permutation  (i.e.,  a bijeetion).  Moreover,  if 
d — [e~^  mod  m]  then  fd  is  the  inverse  of  fe- 


PROOF  By  Proposition  7.7,  gcd(e,m)  = 1 implies  that  e is  invertible 
modulo  m and,  in  this  case,  d is  the  multiplicative  inverse  of  e modulo  m. 
The  second  part  of  the  claim  implies  the  first,  so  we  need  only  show  that  fd 
is  the  inverse  of  fe-  This  is  true  because  for  any  g ^ G we  have 

h (Je(g))  = fd(9‘)  = (s')"  = s'"  = s>'"  ”*'  = s'  = s. 


where  the  fourth  equality  follows  from  Corollary  7.15. 


7.1.4  The  Group  Z*j,j 

As  discussed  in  Example  7.12,  the  set  Zpj-  — — 1}  is  a group 

under  addition  modulo  N.  Can  we  define  a group  structure  over  the  set 
{0, . . . , A”  — 1}  with  respect  to  multiplieation  modulo  A?  In  doing  so,  we 
will  have  to  eliminate  those  elements  in  this  set  that  are  not  invertible;  for 
example,  we  will  have  to  eliminate  ‘0’  since  it  obviously  has  no  multiplicative 
inverse.  This  is  not  the  only  potential  problem:  if  A = 6,  then  ‘3’  is  not 
invertible  as  can  be  proved  by  exhaustively  trying  every  possibility. 
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Which  elements  a e — 1}  are  invertible  modulo  N?  Proposi- 

tion 7.7  says  that  these  are  exactly  those  elements  a for  which  gcd(a,  N)  = 1. 
We  have  also  seen  in  Section  7.1.2  that  whenever  a is  invertible,  it  has  an 
inverse  lying  in  the  range  {1,...,A^  — 1}.  This  leads  us  to  define,  for  > 1, 
the  set 

z;,  ='{ae{l....,JV-l}|gcd(a,Af)  = l}; 
i.e.,  consists  of  integers  in  the  set  {1 , . . . , — 1}  that  are  relatively  prime 

to  N.  The  group  operation  is  multiplication  modulo  N;  i.e.,  ab  [ab  mod  A^]. 

We  claim  that  is  an  abelian  group  with  respect  to  this  operation.  Since 
the  element  T’  is  always  in  Z^,  the  set  clearly  contains  an  identity  element. 
The  discussion  above  shows  that  each  element  in  Z^  has  a multiplicative 
inverse  in  the  same  set.  Commutativity  and  associativity  follow  from  the 
fact  that  these  properties  hold  over  the  integers.  To  show  that  closure  holds, 
let  a,  6 E Z^,  let  c = [a6mod  A^],  and  assume  c ^ Z^.  This  means  that 
gcd(c,  A^)  ^ 1,  and  so  there  exists  a prime  p dividing  both  N and  c.  Since 
ab  = qN  -)-  c for  some  integer  q,  we  see  that  p \ ab.  By  Proposition  7.3, 
this  means  p\a  or  p | 6;  but  then  either  gcd(a,  A^)  ^ 1 or  gcd(6,  A^)  ^ 1, 
contradicting  our  assumption  that  a. 

Summarizing; 

PROPOSITION  7.18  Let  A^  > 1 be  an  integer.  Then  Z^  is  an  abelian 
group  under  multiplication  modulo  N. 

Define  (p{N)  \'^*nV  the  order  of  the  group  Z^  (0  is  called  the  Euler  phi 

function).  What  is  the  value  of  (p{N)?  First  consider  the  case  when  N = p 
is  prime.  Then  all  elements  in  {1, ...  ,p  — 1}  are  relatively  prime  to  p,  and 
so  0(p)  = |Z*|  — p — 1.‘  Next  consider' the  case' that' W ’—  pg',  where  p,-g 
are  distinct  primes.  If  an  integer  a E {1,...,N'  — 1}  is  not  relatively  prime 
to  N,  then  either  p | a or  g | a (a  cannot  be  divisible  by  both  p and  g since 
this  would  imply  pq  \ a but  a < N = pq).  The  elements  in  {1, . . . , N"  — 1} 
divisible  by  p are  exactly  the  (g  — 1)  elements  p,  2p,  3p, . . . , (g  — l)p,  and  the 
elements  divisible  by  g are  exactly  the  (p  — 1)  elements  g,  2g, . . . , (p  — l)g.  The 
number  of  elements  remaining  (i.e.,  those  that  are  neither  divisible  by  p or  g) 
is  therefore  given  by 

(A^  - 1)  - (g  - 1)  - (p  - 1)  = pg  - p - g + 1 = (p  - l)(g  - 1). 

We  have  thus  proved  that  (p{N)  = (p  — l)(g  — 1)  when  N is  the  product  of 
two  distinct  primes  p and  g. 

You  are  asked  to  prove  the  following  general  result  (used  only  rarely  in  the 
rest  of  the  book)  in  Exercise  7.4: 


THEOREM  7.19  Let  N = Yl^p^* , where  the  {pi\  are  distinct  primes  and 

ei>\.  Then  (f){N)  = YliPT~^(Pi 


256 


Example  7.20 

Take  iV  = 15  = 5 • 3.  Then  = {1,2, 4,  7,  8, 11, 13, 14}  and  \L\^\  = 8 = 
4 ■ 2 = 0(15).  The  inverse  of  8 in  Z{g  is  2,  since  8 • 2 = 16  = 1 mod  15.  O 

We  have  shown  that  Z^  is  a group  of  order  (f){N).  The  following  are  now 
easy  corollaries  of  Theorem  7.14  and  Corollary  7.17; 

COROLLARY  7.21  Take  arbitrary  > 1 and  a G Z^.  Then 

a<P(N)  _ ^ 

For  the  specifie  ease  that  N = p is  prime  and  a E {1, ...  ,p  — 1},  we  have 

a^~^  = 1 mod  p. 


COROLLARY  7.22  Fix  > 1.  For  integer  e > 0 define  fe  ■ ^ 

^iv  by  fe(x)  = [x^  mod  A^].  If  e is  relatively  prime  to  (f){N)  then  fe  is  a 
permutation.  Moreover,  if  d = [e~^  mod  0(A^)]  then  fa  is  the  inverse  of  fe- 


7.1.5  * Isomorphisms  and  the  Chinese  Remainder  Theorem 

An  isomorphism  of  a group  G provides  an  alternative,  but  equivalent,  way 
of  thinking  about  G. 

DEFINITION  7.23  Let  G,  H be  groups  with  respect,  to  the  operations 
°iHi7  respectively.  .A  function  f : G M is  an  isomorphism  from  G to  El  if: 

1.  f is  a bijection,  and 

2.  For  all  pi, ^2  E G we  have  f{gi  0GP2)  = /(pi)  oh  f{92)- 

If  there  exists  an  isomorphism  from  G to  El  then  we  say  that  these  groups  are 
isomorphic  and  write  this  as  G ~ El. 

In  essence,  an  isomorphism  from  G to  El  is  just  a renaming  of  elements  of  G 
as  elements  of  M.  Note  that  if  G is  finite  and  G ~ M,  then  El  must  be  finite 
and  of  the  same  size  as  G.  Also,  if  there  exists  an  isomorphism  / from  G to 
El  then  f~^  is  an  isomorphism  from  El  to  G.  However,  it  is  possible  that  / 
may  be  efficiently  computable  while  f~^  is  not  (or  vice  versa). 

The  aim  of  this  section  is  to  use  the  language  of  isomorphisms  to  better 
understand  the  group  structure  of  Zat  and  Z^  when  N = pq  is  a product  of 
two  distinct  primes.  We  first  need  to  introduce  the  notion  of  a cross  product 
of  groups.  Given  groups  G,  El  with  group  operations  0(e,ojj  respectively,  we 
define  a new  group  G x El  (the  cross  product  of  G and  El)  as  follows.  The 
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elements  of  G x HI  are  ordered  pairs  (g,  h)  with  ^ G G and  h G II;  thus,  if  G 
has  n elements  and  HI  has  n'  elements,  G x HI  has  n ■ n'  elements.  The  group 
operation  o on  G x HI  is  applied  component- wise;  that  is: 

° {g',  h')  {g  oq  g\  h OH  h'). 

We  leave  it  to  Exercise  7.7  to  verify  that  G x HI  is  indeed  a group.  The  above 
notation  can  be  extended  to  cross  products  of  more  than  two  groups  in  the 
natural  way,  though  we  will  not  need  this  for  what  follows. 

We  may  now  state  and  prove  the  Chinese  remainder  theorem. 


THEOREM  7.24  (Chinese  Remainder  Theorem)  Let  N = pq  where 
p and  q are  relatively  prime.  Then 

Zn  '^ZpXZq  and  ~ Z*  x Z*. 

Moreover,  let  f be  the  function  mapping  elements  x G {0, . . . , — 1}  to  pairs 

{xp,  Xq)  with  Xp  G {0, . . . ,p  — 1}  and  Xq  G {0, . . . , g — 1}  defined  by 

f{x)  ([x  mod  p],  [x  mod  ^]). 

Then  f is  an  isomorphism  from  Z^  to  Zp  x Zq  as  well  as  an  isomorphism 
from  Z*jq  to  Z*  X Z*. 

PROOF  It  is  clear  that  for  any  x G Zn  the  output  f{x)  is  a pair  of 
elements  (xp,Xq)  with  Xp  G Zp  and  Xq  G Zq.  Furthermore,  we  claim  that  if 
X G Z]^  then  {xp , Xq)  ^ Z*  x Z*.  Indeed,  if  Xp  0 Z*  then  this  means  that 
gcd([x  modpj,  p)  ^ 1.  But  then  gcd(a:,p)  ^ 1.  This  implies  gcd(a:,iV)  ^ 1, 
contradicting  the  assumption  that  x G Z*^.  (An  analogous  argument  holds  if 

^ z;-) 

We  now  show  that  / is  an  isomorphism  from  Zn  to  Zp  x Zq.  (The  proof  that 
it  is  an  isomorphism  from  Z*^  to  Z*  x Z*  is  similar.)  Let  us  start  by  proving 
that  / is  one-to-one.  Say  f{x)  = (xp,Xq)  = f{x').  Then  x = Xp  = x'  mod  p 
and  X = Xq  = x'  mod  q.  This  in  turn  implies  that  {x  — x')  is  divisible  by 
both  p and  q.  Since  gcd(p,  g)  = 1,  Proposition  7.4  says  that  pq  = N divides 
{x  — x').  But  then  x = x'  mod  N.  For  x,x'  G Zn,  this  means  that  x = x' 
and  so  / is  indeed  one-to-one.  Since  \Zn\  = N = p ■ q = \Zp\  ■ |Zg|,  the  sizes 
of  Ziv  and  Zp  x Zq  are  the  same.  This  in  combination  with  the  fact  that  / is 
one-to-one  implies  that  / is  bijective. 

In  the  following  paragraph,  let  +n  denote  addition  modulo  N,  and  let  ffl 
denote  the  group  operation  in  Zp  x Zq  (i.e.,  addition  modulo  p in  the  first 
component  and  addition  modulo  q in  the  second  component).  To  conclude 
the  proof  that  / is  an  isomorphism  from  Zn  to  Zp  xZq,  we  need  to  show  that 
for  all  a,  6 G Ziv  it  holds  that  /(a  -hiv  6)  = /(a)  ffl  f{b). 
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To  see  that  this  is  true,  note  that 

f{a  +N  b)  = ^[(a  +N  b)  mod  p],  [(a  b)  mod 
= ^[(a  + 6)  mod  p],  [(a  + 6)  mod 

= ^[a  mod  p],  [a  mod  ffl  (^[b  mod  p],  [6  mod  = /(a)  ffl  f{b)- 

(For  the  second  equality,  above,  we  use  the  fact  that  [[X  mod  N]  modp]  = 
[[X  mod  p]  mod  p]  when  p | N]  see  Exercise  7.8.)  | 


The  theorem  does  not  require  p or  ^ to  be  prime.  An  extension  of  the 
Chinese  remainder  theorem  says  that  if  Pi , P2 , • • - , P^  are  pairwise  relatively 
prime  (i.e.,  gcd(pi,pj)  = 1 for  all  i ^ j)  and  N T\\=\Pi^  then 

Zn  ‘=^  Zpi  X • • • X Zp^  and  Z)V  ^ Zj*^  x • • • x Z*^  . 

An  isomorphism  in  each  case  is  obtained  by  a natural  extension  of  the  one 
used  in  the  theorem  above. 

By  way  of  notation,  with  N understood  and  a:  e {0,1,..., A"  — 1}  we  write 
X ^ (xp,Xq)  for  Xp  = [x  modp]  and  Xq  = [x  mod  q].  I.e.,  x ^ (xp,Xq)  if  and 
only  if  f{x)  = (xp,Xq),  where  / is  as  in  the  theorem  above.  One  "way  to  think 
about  this  notation  is  that  it  means  “x  (in  Z^v)  corresponds  to  {xp,Xq)  (in 
Zp  X Zq).”  The  same  notation  is  used  when  dealing  with  x G Z^. 


Example  7.25 

Take  15  = 5 • 3,  and  consider  Z^5  = {1,2,4,7,8,11,13,14}.  The  Chinese 
remainder  theorem  says  that  this  group  is  isomorphic  to  Zg  x ^3-  Indeed,  we 
can  compute 

1^  (1,1)  2 ^(2,2)  4^(4,1)  7^(2, 1) 

8 ^ (3, 2)  11  ^ (1,  2)  13  ^ (3, 1)  14  ^ (4,  2)  ’ 

where  each  possible  pair  (a,  6)  with  a G Zg  and  6 G Zg  appears  exactly  once. 

0 

Using  the  Chinese  Remainder  Theorem 

If  two  groups  are  isomorphic,  then  they  both  serve  as  representations  of  the 
same  underlying  “algebraic  structure.”  Nevertheless,  the  choice  of  which  rep- 
resentation to  use  can  affect  the  computational  efficiency  of  group  operations. 
We  show  this  abstractly,  and  then  in  the  specific  context  of  Z^v  and  Z^. 

Let  G,IHI  be  groups  with  operations  0,5,  ojj,  respectively,  and  say  / is  an 
isomorphism  from  G to  IHI  where  both  / and  f~^  can  be  computed  efficiently 
(in  general  this  need  not  be  the  case) . Then  for  Qi,  Qq  £ G we  can  compute 
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g = gi  oq  g2  in  two  ways:  either  by  directly  computing  the  group  operation 
in  G,  or  by  carrying  out  the  following  steps: 

1.  Compute  hi  = f{gi)  and  h^  = f{g2)\ 

2.  Compute  h = h\  ojj  /i2  using  the  group  operation  in  H; 

3.  Compute  g = f~^{h). 

Which  method  is  better  depends  on  the  specific  groups  under  consideration, 
as  weir  as  the  efficiency  of  computing  / and  f~^. 

We  now  turn  to  the  specific  case  of  computations  modulo  N,  when  N = 
pq  is  a product  of  distinct  primes.  The  Chinese  remainder  theorem  shows 
that  addition  or  multiplication  modulo  N can  be  “transformed”  to  analogous 
operations  modulo  p and  q.  (Moreover,  an  easy  corollary  of  the  Chinese 
remainder  theorem  shows  that  this  holds  true  for  exponentiation  as  well.) 
Using  Exercise  7.25,  we  can  show  some  simple  examples  with  = 15. 


Example  7.26 

Say  we  wish  to  compute  the  product  14  • 13  modulo  15  (i.e.,  in  Ziq).  Exer- 
cise 7.25  gives  14  (4, 2)  and  13  (3, 1).  Now, 

[14  • 13  mod  15]  ^ (4,  2)  • (3, 1)  = ([4  ■ 3 mod  5],  [2-1  mod  3])  = (2,  2). 

But  (2, 2)  2,  which  is  the  correct  answer  since  14  • 13  = 2 mod  15.  ' 0 


Example  7.27 

Say  we  wish  to  compute  11^  mod  15.  Example  7.25  gives  11  (1,  2)  and  so 

[11^  mod  15]  (1,  2)^,  where  on  the  right-hand  side  exponentiation  is  in  the 

group  Z5  X Z3 . Thus, 

[11^  mod  15]  (1, 2)^  = (1^  mod  5,  2^  mod  3)  = (1, 1)  •«->  1. 

Indeed,  11^  = 1 mod  15.  <0” 

One  thing  we  have  not  yet  discussed  is  how  to  algorithmically  convert  back- 
and-forth  between  the  representation  of  an  element  modulo  N and  its  repre- 
sentation modulo  p and  q.  We  now  show  that  the  conversion  can  be  carried 
out  in  polynomial  time  provided  the  factorization  of  N is  known. 

It  is  easy  to  map  an  element  x modulo  N to  its  corresponding  represen- 
tation modulo  p and  q:  the  element  x corresponds  to  ([x  mod  p],  [x  mod  ^]). 
Since  both  the  necessary  modular  reductions  can  be  carried  out  efficiently  (cf. 
Appendix  B.2),  this  process  can  be  carried  out  in  polynomial  time. 

For  the  other  direction,  we  make  use  of  the  following  observation:  an  ele- 
ment with  representation  (xp,  Xq)  can  be  written  as 

(Xp,  Xqr)  = ^p  • (1,0)  -|-  Xq  • (0,  1). 
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So,  if  we  can  find  elements  Ip,  Iq  G {0, . . . , — 1}  such  that  Ip  (1,  0)  and 

Iq  ^ (0, 1),  then  (appealing  to  the  Chinese  remainder  theorem)  we  know  that 

{Xp,  Xq)  ^ [(Xp  ■ Ip  + Xq  ■ Iq)  mod  N], 

Since  p,q  are  distinct  primes,  gcd(p,  = 1.  We  can  use  the  extended 
Euclidean  algorithm  (cf.  Appendix  B.1.2)  to  find  integers  X,  Y such  that 


Xp  + Yq  = 1. 

We  claim  that  Ip  = mod  . This  is  because 


[y  q mod  N]  mod  p 


= [Y q mod  p\  = [(1  — Xp)  mod  p]  = 1 


and 

[y q mod  A^]  mod  q = \Yq  mod  g']  = 0 ; 

and  so  y^  mod  N (1,0)  as  desired.  In  a similar  way  it  can  be  shown  that 
Ig  = [Xp  mod  A^]. 

In  summary,  we  can  convert  an  element  represented  as  (xp,Xq)  to  its  rep- 
resentation modulo  N in  the  following  way  (assuming  p and  q are  known): 

1 . Compute  X,  Y such  that  Xp  + Yq  = 1. 

2.  Set  Ip  = [y^'  mod  A^]  and  Iq  = [Xp  mod  A^]. 

3.  Compute  x = [{xp  ■ Ip  + Xq  ■ Ig)  mod  N].i 

Note  that  if  many  such  conversions  will  be  performed,  then  Ip,  Iq  can  be 
computed  once-and-for-all  in  a preprocessing  phase. 


Example  7.28 

Take  p = 5,  q = 7,  and  N = 5-7  = 35.  Say  we  are  given  the  representation 
(4,3)  and  want  to  convert  this  to  the  corresponding  element  of  Z35.  Using 
the  extended  Euclidean  algorithm,  we  compute 

3-5-2-7  = l. 

Thus,  Ip  = [(—2  • 7)  mod  35]  = 21  and  Ig  = [3  • 5 mod  35]  = 15.  So 

(4,3)  = 4-(l,0)  + 3-(0,l) 

[4  • Ip  -f-  3 • Iq  mod  35] 

= [4  ■ 21  3 • 15  mod  35]  = 24. 


Since  24  = 4 mod  5 and  24  = 3 mod  7,  this  is  indeed  correct. 


0 
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Example  7.29 

Say  we  want  to  compute  [29^°°  mod  35].  We  first  compute  the  correspondence 
29  ([29  mod  5],  [29  mod  7])  = (—1,1).  Using  the  Chinese  remainder 

theorem,  we  have 

[29^°°  mod  35]  (1,  —1)^°°  = (1^°°  mod  5,  (—1)^°°  mod  7)  = (1, 1), 

and  it  is  immediate  that  (1, 1)  1.  We  conclude  that  1 = [29^°°  mod  35].  <> 


Example  7.30 

Say  we  want  to  compute  [18^^  mod  35].  We  have  18  (3,  4)  and  so 

18^^  mod  35  (3,  4)^^  = ([3^^  mod  5],  [4^^  mod  7]). 

Since  Zg  is  a group  of  order  4,  we  can  “work  modulo  4 in  the  exponent”  (cf. 
Corollary  7.15)  and  see  that 

325  _ 325  mod  4 _ 3I  = 3 mod  5. 

Similarly, 

425  ^ 425  mod  6 ^ 4I  ^ 4 7 

Thus,  ([3^^  mod  5],  [4^^  mod  7])  = (3,4)  18  and  so  [18^^  mod  35]  = 18.  •(> 


7.2  Primes,  Factoring,  and  RSA 

In  this  section,  we  show  the  first  examples  of  number-theoretic  problems 
that  are  conjectured  to  be  “hard” . We  begin  with  a discussion  of  one  of  the 
oldest  problems:  integer  factorization  or  just  factoring. 

Given  a composite  integer  N,  the  factoring  problem  is  to  find  positive  inte- 
gers p,  q such  that  pq  = N . Factoring  is  a classic  example  of  a hard  problem, 
both  because  it  is  so  simple  to  describe  and  also  because  it  has  been  recognized 
as  a hard  computational  problem  for  a long  time  (even  before  its  use  in  cryp- 
tography). The  problem  can  be  solved  in  exponential  time  0{-\/N -polylogliV)) 
using  trial  division:  that  is,  by  exhaustively  checking  whether  p divides  N 
for  p = 2, . . . , LV^J . (This  method  requires  \/N  divisions,  each  one  taking 
polylog(A^)  = (logiV)'^  time  for  some  constant  c.)  This  always  succeeds  be- 
cause although  the  largest  prime  factor  of  N may  be  as  large  as  N / 2,  the 
smallest  prime  factor  of  N can  be  at  most  [\/]V J . Although  algorithms  with 
better  running  time  are  known  (see  Chapter  8),  no  polynomial-time  algorithm 
that  solves  the  factoring  problem  has  been  developed,  despite  many  years  of 
effort. 
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Consider  the  following  experiment  for  a given  algorithm  A and  parameter  n: 
The  weak  factoring  experiment  w-Factor_4(n): 

J.  Choose  two  n-bit  integers  X\,X2  at  random. 

2.  Compute  N :=  x\  ■ X2- 

3.  A is  given  N,  and  outputs  x'^ , x'2 . 

4-  The  output  of  the  experiment  is  defined  to  be  1 if  x[- x'2  = N, 
and  0 otherwise. 

We  have  just  said  that  the  factoring  problem  is  believed  to  be  hard.  Does 
this  mean  that  for  any  PPT  algorithm  A we  have 

Pr[w-Factor^(n)  = 1]  < negl(n), 

for  some  negligible  function  negl?  Not  at  all.  For  starters,  the  number  N in 
the  above  experiment  is  even  with  probability  3 /4  (as  this  occurs  when  either 
xi  or  X2  is  even)  and  it  is,  of  course,  easy  for  A to  factor  N in  this  case.  While 
we  can  make  ^’s  job  more  difficult  by  requiring  A to  output  integers  x'^ , x'2  of 
length  n (as  suggested  in  Chapter  ,6),  it  remains  the  case  that  xi  or  X2  (and 
hence  N)  might  have  small  prime  factors  that  can  still  be  easily  found  by  A. 
In  cryptographic  contexts,  we  would  like  to  prevent  this. 

As  this  discussion  indicates,  the  “hardest”  numbers  to  factor  seem  to  be 
those  having  only  large  prime  factors.  This  suggests  re-defining  the  above 
experiment  so  that  xi,X2  are  random  n-bit  primes  rather  than  random  n-bit 
integers,  and  in  fact  such  an  experiment  will  be  used  when  we  formally  define 
the  factoring  assumption  in  Section  7.2.3.  For  this  experiment  to  be  useful  in 
a cryptographic  setting,  however,  it  will  be  necessary  to  be  able  to  generate 
random  n-bit  primes  efficiently.  This  is  the  topic  of  the  next  section. 

7.2.1  Generating  Random  Primes 

The  same  general  approach  discussed  in  Appendix  B.2.4  for  choosing  ran- 
dom integers  in  a certain  range  can  be  used  to  generate  random  n-bit  primes. 
(The  discussion  in  Appendix  B.2.4  is  helpful,  but  not  essential,  for  what  fol- 
lows.) Specifically,  we  can  generate  a random  n-bit  prime  by  repeatedly  choos- 
ing random  n-bit  integers  until  we  find  the  first  prime;  we  repeat  this  at  most 
t times.  See  Algorithm  7.31  for  a high-level  description  of  the  process. 

Note  that  the  algorithm  forces  the  output  to  be  an  integer  of  length  exactly 
n (rather  than  length  at  most  n)  by  fixing  the  high-order  bit  of  p to  ‘1’.  Our 
convention  throughout  this  book  is  that  an  “integer  of  length  n”  means  an 
integer  whose  binary  representation  with  most  significant  bit  equal  to  1 is 
exactly  n bits  long. 

Given  a method  that  always  correctly  determines  whether  or  not  a given 
integer  p is  prime,  the  above  algorithm  outputs  a random  n-bit  prime  con- 
ditioned on  the  event  that  it  does  not  output  fail.  The  probability  that  the 
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ALGORITHM  7.31 

Generating  a random  prime  — high-level  outline 

Input:  Length  n;  parameter  t 
Output:  A random  n-bit  prime 

for  z = 1 to  i:  { 

p ■■=  lib' 

if  p is  prime  return  p 

} 

return  fail 


algorithm  outputs  fail  depends  on  t,  and  for  our  purposes  we  will  want  to  set 
t so  as  to  obtain  a failure  probability  that  is  negligible  in  n.  To  show  that  this 
approach  leads  to  an  efficient  (i.e.,  polynomial-time  in  n)  algorithm  for  gener- 
ating primes,  we  need  a better  understanding  of  two  issues;  (1)  the  probability 
that  a randomly-selected  n-bit  integer  is  prime;  and  (2)  how  to  efficiently  test 
whether  a given  integer  p is  prime.  We  discuss  these  issues  briefly  now,  and 
defer  a more  in-depth  exploration  of  the  second  topic  to  Section  7.2.2. 

The  distribution  of  primes.  The  prime  number  theorem,  an.  inaportant 
result  in  mathematics,  gives  fairly  precise  bounds  on  the  fraction  of  integers 
of  a given  length  that  are  prime.  For  our  purposes,  we  need  only  the  following 
weak  version  of  that  result; 


THEOREM  7.32  There  exists  a constant  c such  that,  for  any  n >1,  tJie 
number  of  n-bit  primes  is  at  least  c • jn. 

We  do  not  give  a proof  of  this  theorem  here,  though  somewhat  elementary 
proofs  are  known  (see  the  references  at  the  end  of  the  chapter) . The  theorem 
implies  that  the  probability  that  a random  n-bit  integer  is  prime  is  at  least 

c-2”-Vn  c 
2^-1  ~ n ■ 

Returning  to  the  approach  for  generating  primes  described  above,  this  implies 
that  if  we  set  t — v?  jc  then  the  probability  that  a prime  is  not  chosen  in  all 
t iterations  of  the  algorithm  is  at  most 


< (e-i)”  = e— 


(using  Inequality  A. 2),  which  is  negligible  in  n.  Thus,  using  poly(n)  iterations 
we  get  an  error  probability  that  is  negligible  in  n. 

Testing  primality.  The  problem  of  efficiently  determining  whether  a given 
number  p is  prime  has  a long  history.  In  the  1970s  the  first  efficient  probabilis- 
tic algorithms  for  testing  primality  were  developed,  and  efficient  algorithms 
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with  the  following  property  where  shown;  if  the  given  input  p is  a prime 
number,  then  the  output  is  always  “prime” . On  the  other  hand,  if  p is  a com- 
posite number,  then  the  output  is  “composite”  except  with  probability  that 
is  negligible  in  the  length  of  p.  Put  differently,  this  means  that  if  the  result 
is  “composite”  then  p is  definitely  composite,  but  if  the  output  is  “prime” 
then  it  is  very  likely  that  p is  prime  but  it  is  also  possible  that  a mistake  has 
occurred  (and  p is  actually  composite).^ 

When  using  a randomized  primality  test  of  this  sort  in  Algorithm  7.31  (the 
prime-generation  algorithm  shown  earlier),  the  output  of  the  algorithm  is  a 
random  prime  of  the  desired  length  as  long  as  the  algorithm  does  not  output 
fail  and  the  randomized  primality  test  is  always  correct.  This  means  that  an 
additional  source  of  error  (besides  the  possibility  of  outputting  fail)  is  intro- 
duced, and  the  algorithm  may  now  output  a composite  number  by  mistake. 
Since  we  can  ensure  that  this  happens  with  only  negligible  probability,  this 
remote  possibility  will  be  of  no  practical  concern  and  we  can  safely  ignore  it. 

A deterministic  polynomial-time  algorithm  for  testing  primality  was  demon- 
strated in  a breakthrough  result  in  2002.  This  algorithm,  though  running  in 
polynomial  time,  is  slower  than  the  probabilistic  tests  mentioned  above.  For 
this  reason,  probabilistic  primality  tests  are  still  used  exclusively  in  practice 
for  generating  large  primes. 

In  Section  7.2.2  we  describe  and  analyze  one  of  the  most  commonly-used 
probabilistic  primality  tests:  the  Miller-Robin  algorithm.  This  algorithm 
takes  two  inputs:  an  integer  N being  tested  for  primality  and  a parame- 
ter t that  determines  the  error  probability.  The  Miller-Rabin  algorithm  runs 
in  time  polynomial  in  ||A’||  and  t,  and  satisfies: 


THEOREM  7.33  If  N is  prime,  then  the  Miller-Rabin  test  always  outputs 
“prime”.  If  N is  composite,  then  the  algorithm  outputs  “prime”  with  probabil- 
ity at  most  2“*  {and  outputs  the  correct  answer  “composite”  with  probability 
1-2-*). 


Putting  it  all  together.  Given  the  preceding  discussion,  we  can  now  de- 
scribe a polynomial-time  prime-generation  algorithm  that,  on  input  n,  outputs 
a random  n-bit  prime  except  with  probability  negligible  in  n.  (In  the  algo- 
rithm, c is  the  unspecified  constant  from  Theorem  7.32.)  The  full  procedure 
is  described  below  in  Algorithrn  7.34. 

Generating  primes  of  a particular  form.  It  is  often  desirable  to  generate 
a random  n-bit  prime  p of  a particular  form,  for  example  satisfying  p = 
3 mod  4 or  such  that  p = 2^  -|-  1 where  q is  also  prime  (p  of  the  latter  type  are 


^There  also  exist  probabilistic  primality  tests  that  work  in  the  opposite  way:  they  always 
correctly  identify  composite  numbers  but  sometimes  make  a mistake  when  given  a prime 
as  input.  We  will  not  consider  algorithms  of  t^iis  type. 
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ALGORITHM  7.34 
Generating  a random  prime 


Input:  A length  parameter  n 
Output:  A random  n-bit  prime 


for  2 = 1 to  n^/c:  { 

P - {0, 1}"-^ 

P ■=  l||p' 

run  the  Miller-Rabin  test  on  input  p and  parameter  n 
if  the  output  is  “prime”,  return  p 
} 


return  fail 


called  strong  primes).  In  this  case,  appropriate  modifications  of  the  prime- 
generation  algorithm  shown  above  can  be  used  (e.g.,  in  order  to  obtain  a 
prime  of  the  form  p = 2q+  1,  generate  a random  prime  q,  compute  p = 2q  + l 
and  output  p if  it  too  is  prime).  While  these  modified  algorithms  work  well 
in  practice,  rigorous  proofs  that  they  run  in  polynomial  time  and  fail  with 
only  negligible  probability  are  more  complex  (and,  in  some  cases,  rely  on 
unproven  number-theoretic  conjectures  regarding  the  density  of  primes  of  a 
particular  form) . A detailed  exploration  of  these  issues  is  beyond  the  scope 
of  this  book,  and  we  will  simply  assume  the  existence  of  appropriate  prime- 
generation  algorithms  when  needed. 

7.2.2  * Primality  Testing 

We  now  describe  the  Miller-Rabin  primality  testing  algorithm  and.  prove 
Theorem  7.33.  This  material  is  not  used  directly  in  the  rest  of  the  book. 

The  key  to  the  Miller-Rabin  algorithm  is  to  find'  a property  that  distih- 
guishes  primes  and  composites.  As  a starting  point  in  this  direction,  consider 
the  following  observation:  if  N is  prime  then  |Z^|  = — 1,  and  so  for  any 

number  a E {1, . . . , — 1}  we  have  a^~^  = 1 mod  N by  Theorem  7.14.  This 

suggests  testing  whether  a given  integer  N is  prime  by  choosing  a random 
element  a and  checking  whether  a^~^  = 1 mod  N.  If  a^~^  ^ 1 mod  N,  then 
N cannot  be  prime.  Conversely,  we  might  hope  that  if  N is  not  prime  then 
there  is  a reasonable  chance  that  we  will  pick  a with  a^~^  7^  1 mod  A?^,  and' 
so  by  repeating  this  test  many  times  we  could  determine  whether  N is  prime 
or  not  with  high  confidence.  The  above  approach  is  shown  as  Algorithm  7.35. 
(Recall  that  exponentiation  modulo  N and  computation  of  greatest  common 
divisors  can  be  carried  out  in  polynomial  time.  Choosing  a random  element 
of  {!,...,  A^  — 1}  can  also  be  done  in  polynomial  time.  See  Appendix  B.2.) 

If  N is  prime  then  the  discussion  above  implies  that  the  algorithm  always 
outputs  “prime.”  If  N is  composite,  the  algorithm  outputs  “composite”  if  it 
finds  an  a E such  that  ^ 1 mod  'N  in  any  iteration.  (It  also  outputs 

“composite”  if  it  ever  finds  an  a ^ we  will  take  this  into  account  later.) 
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ALGORITHM  7.35 

Primality  testing  — first  attempt 

Input:  Integer  N and  parameter  t 

Output:  A decision  as  to  whether  N is  prime  or  composite 

for  i — I to  t: 

a ^ {I, . . . ,N  - 1} 
if  gcd(a,  A)  7^  1 return  “composite” 
if  7^  1 mod  N return  “composite” 

return  “prime” 


We  refer  to  an  a G with  this  property  as  a witness  that  N is  composite,  or 
simply  a witness.  We  might  hope  that  when  N is  composite  there  are  many 
witnesses,  and  thus  the  algorithm  finds  such  a witness  with  “high”  probability. 
This  intuition  is  correct  provided  there  is  at  least  one  witness  in  the  first  place. 
Before  proving  this,  we  need  two  group-theoretic  lemmas. 


PROPOSITION  7.36  Let  G be  a finite  group,  and  IHI  C G.  Assume  that 
H contains  the  identity  element  of  G,  and  that  for  all  a,  b E M it  holds  that 
ab  G H.  Then  HI  is  a subgroup  of  G . 

PROOF  We  need  to  verify  that  HI  satisfies  all  the  conditions  of  Defini- 
tion 7.9.  Associativity  in  HI  is  inherited  automatically  from  G.  By  assump- 
tion, HI  has  the  identity  element  and  is  closed  under  the  group  operation.  The 
only  thing  remaining  to  verify  is  that  the  inverse  of  every  element  in  HI  also 
lies  in  HI.  Let  m be  the  order  of  G (here  is  where  we  use  the  fact  that  G 
is  finite),  and  consider  an  arbitrary  element  a G H.  Since  a G G,  we  have 
1 = = a • a'^~^.  This  means  that  is  the  inverse  of  a.  Since  a G El, 

the  closure  property  of  HI  guarantees  that  a'^~^  G HI  as  required.  I 

LEMMA  7.37  Let  HI  6e  a strict  subgroup  of  a finite  group  G (i.e.,  H 7^  G). 
Then  JHI|  < |G|/2. 

PROOF  Let  h be  an  element  of  G that  is  not  in  HI;  since  El  7^  G,  we 
know  such  an  h exists.  Consider  the  set  {hh  | h G H}.  We  show 

that  (1)  I IHI  I = |EI|,  and  (2)  every  element  of.  HI  lies  outside  of  HI;  i.e.,  the 
intersection  of  HI  and  HI  is  empty.  Since  both  HI  and  HI  are  subsets  of  G,  these 
imply  |G|  > |HI|  -I-  Iflll  = 2|HI|,  proving  the  lemma. 

For  every  h\,h2  € HI,  if  hh\  = hh2  then,  multiplying  by  h~^  on  each  side, 
we  have  h\  = h2-  This  shows  that  every  distinct  element  h E M corresponds 
to  a distinct  element  hh  E El,  proving  (1). 

Assume  toward  a contradiction  that  /i/i  G HI  for  some  h.  This  means  hh  = h' 
for  some  h'  E H,  and  so  h = h'h~^.  Now,  h'h~^  G HI  since  El  is  a subgroup 
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and  h' G H.  But  this  means  that  G H,  in  contradiction  to  the  way  h 
was  chosen.  This  proves  (2),  and  completes  the  proof  of  the  lemma.  | 


The  following  theorem  will  enable  us  to  analyze  the  algorithm  given  earlier. 


THEOREM  7.38  Fix  N.  Say  there  exists  a witness  that  N is  eomposite. 
Then  at  least  half  the  elements  of  are  witnesses  that  N is  eomposite. 

PROOF  Let  Bad  be  the  set  of  elements  in  Z^  that  are  not  witnesses; 
that  is,  a G Bad  means  a^~^  = 1 mod  N.  Clearly,  1 G Bad.  If  a,6  G Bad, 
then  {ab)^~^  = a^~^  • = 1-1  = 1 mod  N and  hence  ah  G Bad.  By 

Lemma  7.36,  we  conclude  that  Bad  is  a subgroup  of  Z^ . Since  (by  assumption) 
there  is  at  least  one  witness.  Bad  is  a striet  subgroup  of  Z^.  Lemma  7.37 
then  shows  that  |Bad|  < |Z^|/2,  showing  that  at  least  half  the  elements  of 
Z^  are  not  in  Bad  (and  hence  are  witnesses).  I 

Let  N be  composite.  If  there  exists  a witness  that  N is  composite,  then 
there  are  at  least  |Z^|/2  witnesses.  The  probability  that  we  find  either  a 
witness  or  an  element  not  in  Z^  in  any  given  iteration  of  the  algorithm  is 
thus  at  least 


((AT-i)-lz^l)  |Z^|/2  |Z^I/2_1 

Af  - 1 (AT  - 1)  - \I.%\  2 ’ 

and  so  the  probability  that  the  algorithm  does  not  find  a witness  in  any  of  the 
t iterations  (and  hence  the  probability  that  the  algorithm  mistakenly  outputs 
“prime”)  is  at  most  2~*. 

The  above,  unfortunately,  does  not  give  a complete  solution  since  there  are 
infinitely-many  composite  numbers  N that  do  not  have  any  witnesses  that 
they  are  composite!  Such  values  N are  known  as  Carmichael  numbers-,  a 
detailed  discussion  is  beyond  the  scope  of  this  book. 

Happily,  a refinement  of  the  above  test  can  be  shown  to  work  for  all  N. 
Let  N — 1 = 2”u,  where  u is  odd  and  r > 1.  (It  is  easy  to  compute  r and  u 
given  N.  Also,  restricting  to  r > 1 means  that  N is  odd,  but  testing  primality 
is  easy  when  N is  even!)  The  algorithm  shown  previously  tests  only  whether 
a^~^  = ^ = 1 mod  N.  A more  refined  algorithm  looks  at  the  sequence  of 

r + 1 values  a^,  . . . , ^ (all  modulo  N).  Each  term  in  this  sequence  is 

the  square  of  the  preceding  term;  thus,  if  some  value  is  equal  to  ±1  then  all 
subsequent  values  will  be  equal  to  1. 

Say  that  a G Z^  is  a strong  witness  that  N is  composite  (or  simply  a 
strong  witness)  if  (1)  a^  7^  ±1  mod  N and  (2)  7^  —1  mod  N for  all 
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i E {1, . . . , r — 1}.  If  a is  not  a strong  witness  then  = ±1  mod  N and 

^ =1  mod 

and  so  a is  not  a witness  that  N is  composite,  either.  Put  differently,  if  a is  a 
witness  then  it  is  also  a strong  witness  and  so  there  can  only  possibly  be  more 
strong  witnesses  than  witnesses.  Note  also  that  when  an  element  a is  not 
a strong  witness  then  the  sequence  (a^,  . . . , (all  taken  modulo  N) 

takes  one  of  the  following  forms: 

(±1,1,...,!)  or  (*,...,  ★,-1,1,...,!), 
where  denotes  an  arbitrary  term. 

We  first  show  that  if  N is  prime  then  there  does  not  exist  a strong  witness 
that  N is  composite.  In  doing  so,  we  rely  on  the  following  easy  lemma  (which 
is  a special  case  of  Proposition  11.1  proved  in  Chapter  11): 


LEMMA  7.39  Say  x E is  a square  root  of  1 modulo  N ifx^  = 1 mod  N . 
If  N is  an  odd  prime  then  the  only  square  roots  of  1 modulo  N are  [±1  mod  N]. 


PROOF  Clearly  (±1)^  = 1 mod  N.  Now,  say  N is  an  odd  prime  and  = 
1 mod  N with  x E {1, . . . ,N  — 1}.  Then  0 = x^  — 1 = {x  + l)(x  — 1)  mod  N, 
implying  that  | (x  + 1)  or  | (x  — 1)  by  Proposition  7.3.  This  can  only 
possibly  occur  if  x = [±1  mod  A^].  I 


Now,  say  N is  an  odd  prime  and.  fix  arbitrary  a E Let  2 > 0 be  the 
minimum  value  for  which  = 1 mod  A^;  since  = a^~^  = 1 mod  N we 
know  that  some  such  i < r exists.  If  i = 0 then  = 1 mod  N and  a is  not  a 
strong  witness.  Otherwise, 


(^a^  = a^  ^ = 1 mod 


N 


and  is  a square  root  of  1.  If  AT  is  an  odd  prime,  the  only  square  roots  of 

1 are  ±1;  by  choice  of  i,  however,  a^  ^ 7^  1 mod  N.  So  ^ = —1  mod  N, 
and  a is  not  a strong  witness.  We  conclude  that  when  N is  an  odd  prime 
there  is  no  strong  witness  for  N. 

A composite  integer  A^  is  a prime  power  if  A^  = p®  for  some  prime  p and 
integer  e > 2.  We  now  show  that  every  odd  composite  N that  is  not  a prime 
power  has  “many”  strong  witnesses. 


THEOREM  7.40  Let  N be  an  odd,  composite  number  that  is  not  a prime 
power.  Then  at  least  half  the  elements  of  are  strong  witnesses  that  N is 
composite. 
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PROOF  Let  Bad  C denote  the  set  of  elements  that  are  not  strong 
witnesses.  We  define  a set  Bad^  and  show  that:  (1)  Bad  is  a subset  of  Bad^, 
and  (2)  Bad^  is  a strict  subgroup  of  This  suffices  because  by  combining 
(2)  and  Lemma  7.37  we  have  that  |Bad^|  < |Z^|/2.  Furthermore,  by  (1)  it 
holds  that  Bad  C Bad^,  and  so  |Bad|  < |Bad^|  < |Z^|/2  as  in  Theorem  7.38. 
Thus,  at  least  half  the  elements  of  Z]^  are  strong  witnesses.  (We  stress  that 
we  do  not  claim  that  Bad  is  a subgroup  of 

Note  first  that  —1  6 Bad  since  ( — 1)^  = —1  mod  N (recall  u is  odd).  Let 
i E {0,...,r— 1}  be  the  largest  integer  for  which  there  exists  an  a E Bad  with 
— —1  mod  N;  alternatively,  i is  the  largest  integer  for  which  there  exists 
an  a E Bad  with 


(a^ 


) = —1, 


i + 1 terms 


Since  —1  E Bad  and  (—1)^  ^ = —1  mod  N,  such  i is  well-defined. 
Fix  i as  above,  and  define 

Bad'  Ilf  {a  | = ±1  mod  N}. 

We  now  prove  what  we  claimed  above. 


CLAIM  7.41  Bad  C Bad'. 

Let  a E Bad.  Then  either  = 1 mod  N or  = — 1 mod  N for  some 
2 E {0, . . . , r — 1}.  In  the  first  case,  = (a^)^*  = 1 mod  N and  so  a E Bad'. 
In  the  second  case,  we  have  j i by  choice  of  i.  j = i then  clearly  a E Bad'. 
If  j < i then  ^ = 1 mod  W and  a • E Bad'-.- ■ * Since  a was 

arbitrary,  this  shows  Bad  C Bad'. 

CLAIM  7.42  Bad'  is  a subgroup  ofL*^. 

Clearly  1 E Bad'.  Furthermore,  if  a,  6 E Bad'  then 

(a6)^'^  = = (itl)(±l)  = ±1  mod  N 

and  so  ab  E Bad'.  By  Lemma  7.36,  Bad'  is  a subgroup. 

CLAIM  7.43  Bad'  is  a strict  subgroup  ofTj’^. 

If  is  a composite  integer  that  is  not  a prime  power,  then  N can  be  written 
as  = A^iA^2  with  gcd(A^i,A^2)  = 1-  Appealing  to  the  Chinese  remainder 
theorem,  let  the  notation  a (01,02)  denote  the  representation  of  o E 
as  an  element  of  Z^^  x that  is,  oi  = [o  mod  A^i]  and  02  = [o  mod  A^2]- 
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Take  a G Bad'  such  that  = —1  mod  N (such  an  a must  exist  by  the  way 
we  defined  i),  and  say  a (ai,a2)-  We  know  that 

(af^,  af^)  = (ai,a2)^'^  ^ = -1  ^ 


and  so 

af'^  = — 1 mod  A^i  and  = — 1 mod  N2. 

Consider  the  element  b G with  b ^ (ai,  1).  Then 


„ (ai,l)2‘“  = (af“.  1)  = (-1.1)  ±1. 


That  is,  7^  ±1  mod  N and  so  we  have  found  an  element  b ^ Bad'.  As  we 
have  mentioned,  this  proves  that  Bad'  is  a strict  subgroup  of  and  so,  by 
Lemma  7.37,  the  size  of  Bad'  (and  thus  the  size  of  Bad)  is  at  most  half  the 
size  of  as  required.  | 


An  integer  is  a perfect  power  ii  N = iV®  for  integers  N and  e > 2 (here 
it  is  not  required  for  N to  be  prime,  though  of  course  any  prime  power  is  also 
a perfect  power).  We  can  now  describe  a primality  testing  algorithm  in  full. 


ALGORITHM  7.44 

The  Miller-Rabin  primality  test 

Input:  Integer  N > 2 and  parameter  t 

Output:  A decision  as  to  whether  N is  prime  or  composite 

if  N is  even,  return  “composite” 
if  iV  is  a perfect  power,  return  “composite” 
compute  r > 1 and  u odd  such  that  — 1 = 2”u 
for  j = 1 to  t: 

{!,..., A-1} 

ifgcd(a,A)  7^  1 return  “composite” 
if  a is  a strong  witness  return  “composite” 
return  “prime” 


Exercises  7.11  and  7.12  ask  you  to  show  that  testing  whether  W is  a perfect 
power,  and  testing  whether  a particular  a is  a strong  witness,  can  be  done 
in  polynomial  time.  Given  these  results,  the  algorithm  clearly  runs  in  time 
polynomial  in  ||A'||  and  t.  We  can  now  complete  the  proof  of  Theorem  7.33. 

PROOF  If  N is  prime,  there  are  no  strong  witnesses  and  so  the  Miller- 
Rabin  algorithm  always  outputs  “prime”.  If  N is  composite  there  are  two 
cases:  if  iV  is  a prime  power  the  algorithm  always  outputs  “composite” . Oth- 
erwise, we  invoke  Theorem  7.40  and  see  that,  in  any  iteration,  the  probability 
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of  finding  either  a strong  witness  or  an  element  not  in  is  at  least 

l^ivl/2  + ((-^- 1)  - |Z^|)  _ |Z^|/2  ^ |Z]^|/2  _ 1 

N - 1 “ ~ N -I  - ^ “ |Z]^1  “ 2 ’ 

and  so  the  probability  that  the  algorithm  does  not  find  a witness  in  any  of 
the  t iterations  (and  hence  outputs  “prime”)  is  at  most  2~*.  | 


7.2.3  The  Factoring  Assumption 

Now  that  we  have  discussed  how  to  generate  random  primes,  we  formally 
define  the  factoring  assumption.  Let  Gen  Modulus  be  a polynomial-time  algo- 
rithm that,  on  input  1”,  outputs  {N^p^q)  where  N = pq,  and  p and  q are  n-bit 
primes  except  with  probability  negligible  in  n.  Then  consider  the  following 
experiment  for  a given  algorithm  A and  parameter  n: 

The  factoring  experiment  Factor_4_GenModuius(^): 

1.  GenModulus(l”)  to  obtain  (N,p,q). 

2.  A is  given  N,  and  outputs  p' 

3.  The  output  of  the  experiment  is  defined  to  be  1 if  p'  • q'  = N, 
and  0 otherwise. 

Of  course,  except  with  negligible  probability,  if  the  output  of  the  experiment 
is  1 then  {p',  g'}  = {p,  g'}. 

DEFINITION  7.45  We  say  that  factoring  is  hard  relative  to  GenModulus 

if  for  all  probabilistic  polynomial-time  algorithms  A there  exists  a negligible 
function  negl  such  that 

Pr[Fa,cto.r^,GenModuius(n)  = 1]  < negl(n). 

The  factoring  assumptibii  is  simply  the  assumption  that  there  exists  a 
GenModulus  relative  to  which  factoring  is  hard.  A natural  way  to  construct  a 
suitable  GenModulus  algorithm  is  to  generate  two  random  primes  p and  q of 
length  n,  and  then  set  N to  be  their  product;  factoring  is  believed  to  be  hard 
relative  to  GenModulus  of  this  form. 

7.2.4  The  RSA  Assumption 

The  factoring  problem  has  been  studied  for  hundreds  of  years  without  an 
efficient  algorithm  being  found,  and  so  it  is  very  plausible  that  the  problem 
truly  is  hard.  Unfortunately,  although  the  factoring  assumption  does  yield  a 
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one-way  function  (see  Section  7.4.1),  the  factoring  assumption  in  the  form  we 
have  deseribed  it  is  not  known  to  yield  practical  cryptographic  constructions. 
(In  Section  11.2.2,  however,  we  show  a very  useful  problem  whose  hardness 
is  equivalent  to  that  of  factoring.)  This  has  motivated  a search  for  other 
problems  whose  difficulty  is  related  to  the  hardness  of  factoring.  The  best 
known  of  these  is  a problem  introduced  by  Rivest,  Shamir,  and  Adleman  and 
now  called  the  RSA  problem. 

7/^  is  a group  of  order  (p{N)  = (p  — l){q  — 1).  If  the  factorization  of  N is 
known,  then  it  is  easy  to  compute  the  group  order  4>{N)  and  so  computations 
modulo  N can  potentially  be  simplified  by  “working  in  the  exponent  mod- 
ulo 0(A^)”  (cf.  Corollary  7.15).  On  the  other  hand,  if  the  factorization  of  N 
is  unknown  then  it  is  difficult  to  compute  (in  fact,  computing  (f){N)  is 

as  hard  as  factoring  N;  see  Exercise  7.13).  Thus  “working  in  the  exponent 
modulo  4>{Ny^  is  not  an  available  option,  at  least  not  in  any  obvious  way. 
The  RSA  problem  exploits  this  asymmetry:  the  RSA  problem  is  easy  to  solve 
if  is  known,  but  appears  hard  to  solve  without  knowledge  oi  cj){N).  In 

this  section  we  focus  on  the  hardness  of  solving  the  RSA  problem  relative 
to  a modulus  N of  unknown  factorization;  the  fact  that  the  RSA  problem 
becomes  easy  when  the  factors  of  N are  known  will  prove  ^extremely  useful 
for  the  cryptographic  applications  we  will  see  later  in  the  book. 

Given  a modulus  N and  an  integer  e > 0 relatively  prime  to  Corol- 

lary" 7.22  shows  that  exponentiation  to  the  eth  power  modulo  is  a permu- 
tation. It  therefore  makes  sense  to  define  mod  N (for  any  y E Z)(f)  as  the 
unique  element  of  for  which  (y^^®)  = y mod  N. 

The  RSA  problem  can  now  be  described  informally  as  follows:  given  N, 
an  integer  e > 0 that  is  relatively  prime  to  and  an  element  y E 

compute  y^^^  mod  N;  that  is,  given  N,e,  y find  x such  that  = y mod  N. 
Formally,  let  Gen  RSA  be  a probabilistic  polynomial-time  algorithm  that,  on 
input  1”,  outputs  a modulus  N that  is  the  product  of  two  n-bit  primes,  as 
well  as  an  integer  e > 0 with  gcd(e,  0(A^))  = 1 and  an  integer  d satisfying 
ed  = 1 mod  (f){N).  (Such  a d exists  since  e is  invertible  modulo  (f){N).)  The 
algorithm  may  fail  with  probability  negligible  in  n.  Consider  the  following 
experiment  for  a given  algorithm  A and  parameter  n: 

The  RSA  experiment  RSA-inv^^GenRSA(^): 

1.  Rwn  GenRSA(l”)  to  obtain  (N,  e,  d) . 

2.  Choose  y 

3.  A is  given  N,e,y,  and  outputs  x E 

4.  The  output  of  the  experiment  is  defined  to  be  1 ifx^  = y mod  N , 
and  0 otherwise. 


tt 
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DEFINITION  7.46  We  say  that  the  RSA  problem  is  hard  relative  to 
GenRSA  if  for  all  probabilistic  polynomial-time  algorithms  A there  exists  a 
negligible  function  negl  such  that 


Pr[RSA-inv^, GenRSA (n)  ™ 1]  < negl(n). 

The  RSA  assumption  is  simply  the  assumption  that  there  exists  a GenRSA 
relative  to  which  the  RSA  problem  is  hard.  A suitable  algorithm  GenRSA  can 
be  constructed  based  on  any  algorithm  Gen  Modulus  that  generates  a composite 
modulus  along  with  its  factorization.  A high-level  outline  follows,  where  the 
only  thing  left  unspecified  is  how  exactly  e is  chosen.  There  are  in  fact  a 
number  of  ways  e can  be  chosen  (with  the  RSA  problem  still  believed  to  be 
hard);  some  specific  methods  for  choosing  e are  discussed  in  Section  10.4.1. 


ALGORITHM  7.47 
GenRSA  — high-level  outline 

Input:  Security  parameter  W 
Output:  N,  e,  d as  described  in  the  text 

(A^,p,  9)  GenModulus(l’^) 
f{N)  :=  ip-l){q-l) 
find  e such  that  gcd(e,  f{N))  = 1 
compute  d :=  mod  4>{N)] 
return  N,  e,  d 


When  GenRSA  is  constructed  as  above,  for  which  algorithms  Gen  Mod  ulus 
is  the  RSA  problem  likely  to  be  hard?  If  the  factorization  of  is  known, 
the  RSA  problem  is  easy  to  solve:  first  compute  then  compute  d = 

[e~^  mod  0(A^)];  finally  compute  the  solution  [y^  mod  N].  It  follows  from 
Corollary  7.22  that  this  gives  the  correct  answer.  For  the  RSA  problem  to 
be  hard,  then,  it  must  be  infeasible  to  factor  N output  by  GenModulus.  We 
conclude  that  if  the  RSA  problem  is  hard  relative  to  GenRSA  constructed  as 
above,  then  the  factoring  problem  must  be  hard  relative  to  GenModulus.  That 
is,  the  RSA  problem  cannot  be  more  difficult  than  factoring^  . 

What  about  the  converse?  When  is  a product  of  two  primes,  the  fac- 
torization of  N can  be  computed  efficiently  from  4>{N)  (see  Exercise  7.13) 
and  so  the  problems  of  factoring  N and  computing  are  equally  hard. 

In  fact,  one  can  show  more:  given  N,  e,  and  d with  ed  = 1 mod  4>{N)  it  is 
possible  to  compute  the  factorization  of  N in  probabilistic  polynomial  time; 
see  Exercise  7.14  for  a simple  case  of  this  result.  There  is  no  known  proof, 
however,  that  there  is  no  other  way  of  solving  the  RSA  problem  that  does  not 
involve  explicit  computation  of  (p{N)  or  d.  Thus,  given  our  current  state  of 
knowledge,  we  cannot  conclude  that  the  RSA  problem  is  as  hard  as  factoring, 
and  so  the  assumption  that  RSA  is  hard  appears  stronger  than  the  assump- 
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tion  that  factoring  is  hard.  (That  is,  it  may  be  that  the  RSA  problem  can  be 
solved  in  polynomial  time  even  though  factoring  cannot.) 

Nevertheless,  when  Gen  RSA  is  constructed  based  on  a modulus-generation 
algorithm  GenModulus  as  in  Algorithm  7.47  (i.e.,  by  choosing  N as  the  product 
of  two  random  n-bit  primes),  the  RSA  problem  is  believed  to  be  hard  relative 
to  GenRSA  whenever  factoring  is  hard  relative  to  GenModulus. 


7.3  Assumptions  in  Cyclic  Groups 

In  this  section  we  introduce  a class  of  cryptographic  hardness  assumptions 
in  cyclic  groups.  We  first  discuss  the  necessary  background. 

7.3.1  Cyclic  Groups  and  Generators 

Let  G be  a finite  group  of  order  m.  For  arbitrary  ^ G G,  consider  the  set 

By  Theorem  7.14,  we  have  g'^  = 1.  Let  i < mhe  the  smallest  positive  integer 
for  which  g'^  = 1.  Then  the  above  sequence  repeats  after  i terms  (i.e.,  g'^  = g^, 
g^+^  = g^,  etc.),  and  so 

{9)  = • 

We  see.  that  {g}  contains  at  most  i elements.  In  fact,  it  contains  exactly  i 
elements  since  if  g^  = g^  with  0 < j < k < i then  g^~^  = 1 and  0 < k — j < i, 
contradicting  our  choice  of  L 

It  is  not  hard  to  verify  that  (g)  is  a subgroup  of  G for  any  g (see  Exercise  7.3); 
we  call  (g)  the  subgroup  generated  by  g.  If  the  order  of  the  subgroup  (g)  is  i, 
then  i is  called  the  order  of  g;  that  is: 

DEFINITION  7.48  Let  G be  a finite  group  and  g E G.  The  order  of  g is 
the  smallest  positive  integer  i with  g'^  = \. 

The  following  is  a useful  analogue  of  Corollary  7.15  (the  proof  is  identical): 

PROPOSITION  7.49  Let  G be  a finite  group,  and  g G G an  element  of 
order  i.  Then  for  any  integer  x,  we  have  g^  = g^^  ^1. 

We  can  actually  prove  something  stronger. 

PROPOSITION  7.50  Let  G be  a finite  group,  and  g E G an  element  of 
order  i . Then  g^  = g^  if  and  only  if  x = y mod  i. 
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PROOF  If  X = y mod  i then  [x  mod  i]  = [y  mod  i]  and  the  previous  propo- 
sition says  that 


gX  _ g[x  mod 


= g[y  mod  i] 


For  the  more  interesting  direction,  say  = g^.  Let  x'  = [x  mod  i]  and 
y'  = [y  mod  z];  the  previous  proposition  tells  us  that  g^  = g^  or,  equivalently, 
g^  {gy  = 1.  If  x'  ^ y' , we  may  assume  without  loss  of  generality  that 
x'  > y'  ■ Since  both  x'  and  y'  are  smaller  than  z,  the  difference  x'  — y'  is  then 
a non-zero  integer  smaller  than  z.  But  then 


contradicting  the  fact  that  i is  the  order  of 


9- 


The  identity  element  of  any  group  G has  order  1,  generates  the  group 
(1)  = {!},  and  is  the  only  element  of  order  1.  At  the  other  extreme,  if 
there  exists  an  element  g ^ G that  has  order  m (where  m is  the  order  of 
G),  then  (g)  = G.  In  this  case,,  we  call  G a cyclic  group  and  say  that  g is 
a generator  of  G.  (Note  that  a cyclic  group  may  have  multiple  generators, 
and  so  we  cannot  speak  of  the  generator.)  If  ^ is  a generator  of  G then-,  by 
definition,  every  element  /z  G G is  equal  to  g^  for  some  x G {0,...,7n  — 1},  a 
point  we  will  return  to  in  the  next  section. 

Different  elements  of  the  same  group  G may  have  different  orders.  We  can, 
however,  place  some  restrictions  on  what  these  possible  orders  might  be. 

PROPOSITION  7.51  Let  G be  a finite  group  of  order  m,  and  say  ^ G G 
has  order  i.  Then  i\.m.  . 

PROOF  By  Theorem  7.14  we  know  that  = 1.  Since  g has  order  z, 
we  have  g'^  = ^[mmodi]  Proposition  7.49.  If  z does  not  divide  m,  then 

i'  = [m  mod  z]  is  a positive  integer  smaller  than  z for  which  g'‘  = 1 . Since  z 
is  the  order  of  g,  this  is  impossible.  | 

The  next  corollary  illustrates  the  power  of  this  result: 


COROLLARY  7.52  If  G is  a group  of  prime  order  p,  then  G is  cyclic. 
Furthermore/all  elements  ofG  except  the  identity  are  generators  ofG. 

PROOF  By  Proposition  7.51,  the  only  possible  orders  of  elements  in  G 
are  1 and  p.  Only  the  identity  has  order  1,  and  so  all  other  elements  have 
order  p and  generate  G.  | 
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Groups  of  prime  order  form  one  class  of  cyclic  groups.  The  additive  group 
Zjv,  for  N > 1,  gives  another  example  of  a cyclic  group  (the  element  1 is 
always  a generator) . The  next  theorem  gives  an  important  additional  class  of 
cyclic  groups;  a proof  is  outside  the  scope  of  this  book,  but  can  be  found  in 
any  standard  abstract  algebra  text. 


THEOREM  7.53  If  p is  prime  then  Z*  is  cyclic. 

For  p > 3 prime,  Z*  does  not  have  prime  order  and  so  the  above  does  not 
follow  from  the  preceding  corollary. 

Some  examples  will  help  illustrate  the  preceding  discussion. 

Example  7.54 

Consider  the  (additive)  group  Z15.  As  we  have  noted,  Z15  is  cyclic  and  the 
element  T’  is  a generator  since  15  • 1 = 0 mod  15  and  i'  ■ 1 = i'  jtz  Q mod  15 
for  any  0 < i'  < 15  (recall  that  in  this  group  the  identity  is  0). 

Zi5  has  other  generators.  E.g.,  (2)  = {0,2,4,  ...,  14,1,3,5,  ...,  13}  and 
so  2 is  also  a generator. 

Not  every  element  generates  Z15.  For  example,  the  element  ‘3’  has  order  5 
since  5-3  = 0 mod  15,  and  so  3 does  not  generate  Z15.  The  subgroup  (3) 
consists  of  the  5 elements  {0,  3,  6,  9, 12},  and  this  is  indeed  a subgroup  under 
addition  modulo  15.  The  element  TO’  has  order  3 since  3 • 10  = 0 mod  15, 
and  the  subgroup  (10)  consists  of  the  3 elements  {0,  5, 10}.  Note  that  5 and 
3 both  divide  |Zi5|  = 15  as  required  by  Proposition  7.51.  0 


Example  7.55 

Consider  the  ^multiplicative)  group  Z{g  of  order  (5  — 1)(3  — 1)  = 8.  We  have 
(2)  = {1,  2,4,  8},  and  so  the  order  of  2 is  4.  As  required  by  Proposition  7.51, 
4 divides  8.  0 


Example  7.56 

Consider  the  group  Zp  of  prime  order  p.  We  know  this  group  is  cyclic,  but 
Corollary  7.52  tells  us  more:  namely,  that  every  element  except  0 is  a gener- 
ator. Indeed,  for  any  element  h G {l,...,p  — 1}  and  integer  i > 0 we  have 
ih  = 0 mod  p if  and  only  if  p\ih.  But  then  Proposition  7.3  says  that  either 
p\h  or  p\i.  The  former  cannot  occur  (since  h < p),  and  the  smallest  positive 
integer  for  which  the  latter  can  occur  is  i = p.  We  have  thus  shown  that 
every  non-zero  element  h has  order  p (and  so  generates  Zp),  in  accordance 
with  Corollary  7.52.  0 
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Example  7.57 

Consider  the  group  Zy,  which  is  cyclic  by  Theorem  7.53.  We  have  (2)  = 
{1,  2,  4},  and  so  2 is  not  a generator.  However, 

(3>  = {1,3,2,6,4,5}  = Z;, 

and  so  3 is  a generator  of  Zy . <C> 

The  following  example  relies  on  the  material  of  Section  7.1.5. 

Example  7.58 

Let  G be  a cyclic  group  of  order  n,  and  let  ^ be  a generator  of  G.  Then  the 
mapping  / : Z„  — ^ G given  by  /(a)  — is  an  isomorphism  between  Zn  and 
G.  Indeed,  for  a,  a'  ^ Zn  we  have 

/(a  + a')  = g[“+“'  "I  = 9“+“'  = ■ 9“'  = f(a)  ■ f(a'). 

Bijectivity  of  / can  be  proved  using  the  fact  that  n is  the  order  of  <0 

The  previous  example  shows  that  all  cyclic  groups  of  the  sarne  order  are  “the 
same”  in  an  algebraic  sense.  We  stress  that  this  is  not  true  in  a computational 
sense,  and  in  particular  an  isomorphism  f~^  :'G  —)■  Zn  (which  we  know  must 
exist)  need  not  be  efficiently  computable.  Moreover,  even  though  Z*  (for 
p prime)  is  isomorphic  to  the  group  Zp_i,  the  computational  complexity  of 
operations  in  these  two  groups  may  be  very  different.  We  will  return  to  this 
point  in  Chapter  8.__ 

7.3.2  The  Discrete.  Logarithm  and  DifRe-Hellrhan  Assump- 
tions 

We  nOw  introduce  a number  of  computational  problems  that  can  be  defined 
for  any  class  of  cyclic  groups.  We  will  keep  the  discussion  in  this  section 
abstract,  and  consider  specific  examples  of  groups  in  which  these  problems 
are  believed  to  be  hard  in  Sections  7.3.3  and  7.3.4. 

If  G is  a cyclic  group  of  order  g,  then  there  exists  a generator  ^ G G such 
that  g^,  . . .,  g‘^~^j  — G.  Equivalently,  for  every  h E G there  is  a unique 
X E Zq  such  that  g^  = h.  By  way  of  notation,  when  the  underlying  group  G 
is  understood  from  the  context  we  call  this  x the  discrete  logarithm  of  h with 
respect  to  g and  write  x = log^  h.  Note  that  if  for  some  arbitrary 

integer  x' , then  log^  h = [x'  mod  q] . We  remark  that  logarithms  in  this  case 
are  called  “discrete”  since  they  take  values  in  a finite  range,  as  opposed  to 
“standard”  logarithms  from  calculus  whose  values  range  over  an  infinite  set. 

Discrete  logarithms  obey  many  of  the  same  rules  as  “standard”  logarithms. 
For  example,  log^  1 = 0 (where  T’  is  the  identity  of  G)  and  logg(/ii  • ^12)  = 
[(logg  hi  + logg  h2)  mod  q].  , 


278 


The  discrete  logarithm  problem  in  a cyclic  group  G with  given  generator  g 
is  to  compute  log^  h given  a random  element  h & G as  input.  Formally,  let 
^ be  a polynomial-time  algorithm  that,  on  input  1”,  outputs  a (description 
of  a)  cyclic  group  G,  its  order  q (with  jib'll  = n),  and  a generator  ^ G G. 
We  also  require  that  the  group  operation  in  G can  be  computed  efficiently 
(namely,  in  time  polynomial  in  n).  Consider  the  following  experiment  for  a 
given  group-generating  algorithm  Q,  algorithm  A,  and  parameter  n: 

The  discrete  logarithm  experiment  DLog^  g(n): 

1.  Run  ^(1”)  to  obtain  {G^q,g),  where  G is  a eyclie  group  of 
order  q {with  Hq'H  = n),  and  g is  a generator  ofG. 

2.  Choose  h <—  G.  {This  ean  be  done  by  choosing  x'  ■«—  Zg  and 
setting  h :=  g^  .) 

3.  A is  given  G,q,g,h,  and  outputs  x G Zg. 

4-  The  output  of  the  experiment  is  defined  to  be  1 if  g^  = h, 
and  0 otherwise. 

DEFINITION  7.59  We  say  that  the  discrete  logarithm  problem  is  hard 
relative  to  Q if  for  all  probabilistic  polynomial-time  algorithms  A there  exists 
a negligible  funetion  negl  such  that 

Pr[DLog^^g(n)  = 1]  < negl(n). 

The  discrete  logarithm  assumption  is  simply  the  assumption  that  there 
exists  a Q for  which  the  discrete  logarithm  problem  is  hard.  The  following 
two  sections  discuss  some  candidate  group-generation  algorithms  Q for  which 
this  is  believed  to  be  the  case. 

Some  very  useful  problems  that  are  related  to  the  problem  of  computing 
discrete  logarithms  are  the  so-called  Diffie-H ellman  problems.  There  are  two 
important  variants:  the  computational  Diffie-Hellman  (CDH)  problem,  and 
the  decisional  Diffie-Hellman  (DDH)  problem.  Although  the  CDH  problem  is 
not  used  in  the  remainder  of  the  book,  it  will  be  instructive  to  introduce  it, 
at  least  informally,  before  moving  on  to  the  DDH  problem. 

Fix  a cyclic  group  G and  a generator  ^ G G.  Given  two  group  elements  h\ 

and  /i2)  define  DHg(/ii,/i2)  ^2  xhat  is,  if  h\  = g^  and  h2  = g^ 

then 

DHg{h^,h2)=g"'^  = h\  = h^. 

The  CDH  problem  is  to  compute  DHg(/ii,  h2)  given  randomly-chosen  hi  and  /i2- 

If  the  discrete  logarithm  problem  relative  to  some  Q is  easy,  then  the  CDH 
problem  is,  too:  given  h\  and  /i2,  first  compute  x = log^  hi  and  then  output 
the  answer  /if-  contrast,  it  is  not  clear  whether  hardness  of  the  discrete 
logarithm  problem  necessarily  implies  that  the  CDH  problem  is  hard  as  well. 
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The  DDH  problem,  roughly  speaking,  is  to  distinguish  D\-\g{hi,  h2)  from  a 
random  group  element  for  randomly- chosen  h\,h2.  That  is,  given  randomly- 
chosen  h\,h2  and  a candidate  solution  h' , the  problem  is  to  decide  whether 
h'  = DHp(/ii,  /12)  or  whether  h'  was  chosen  randomly  from  G.  Formally,  let  Q 
be  as  above.  Then: 


DEFINITION  7.60  We  say  that  the  DDH  problem  is  hard  relative  to  Q 

if  for  all  probabilistic  polynomial-time  algorithms  A there  exists  a negligible 
function  negl,  such  that 


Fv[A{G,q,g,g^,gy,gn 


l]-Fv[A{G,q,g,g^,gy,g^y) 


1] 


< negl(n). 


where  in  each  case  the  probabilities  are  taken  over  the  experiment  in  whieh 
outputs  (G,q,g),  and  then  random  x,y,z  & Zg  are  chosen. 


Note  that  when  z is  chosen  at  random  from  Zg,  independent  of  anything 
else,  the  element  g^  is  uniformly  distributed  in  G. 

We  have  already  seen  that  if  the  discrete  logarithm  problem  is  easy  relative 
to  some  Q,  then  the  CDH  problem  is  too.  Similarly,  if  the  CDH  problem  is 
easy  relative  to  Q then  so  is  the  DDH  problem;  you  are  asked  to  show  this  in 
Exercise  7.16.  The  converse,  however,  does  not  appear  to  be  true,  and  there 
are  examples  of  groups  in  which  the  discrete  logarithm  and  CDH  problems  are 
believed  to  be  hard  even  though  the  DDH  problem  is  easy;  see  Exercise  11.10. 


Using  Prime-Order  Groups 

There  are  a number  of  classes  of  cyclic  groups  for  which  the  discrete  loga- 
rithm and  Diffie-Hellman  problems  are  believed  to  be  hard.  Although  cyclic 
groups  of  non-prime  order  are  still  used  for  certain  cryptographic  applications, 
there  is  a general  preference  for  using  cyclic  groups  of  prime  order.  There  are 
a number  of  reasons  for  this,  as  we  now  explain. 

One  reason  for  preferring  groups  of  prime  order  is  because,  in  a certain 
sense,  the  discrete  logarithm  problem  is  hardest  in  such  groups.  Specifically, 
the  Pohlig-Hellman  algorithm  that  will  be  described  in  Chapter  8 reduces  an 
instance  of  the  discrete  logarithm  problem  in  a group  of  order  q = q\  ■ q2  to 
two  instances  of  the  discrete  logarithm  problem  in  groups  of  order  qi  and  q2 , 
respectively.  (This  assumes  that  the  factorization  of  q is  known,  but  if  q has 
small  prime  factors  then  finding  some  non-trivial  factorization  of  q will  be 
easy.)  We  stress  that  this  does  not  mean  that  the  discrete  logarithm  problem 
is  easy  (i.e.,  can  be  solved  in  polynomiaf  time)  in  non-prime  order  groups;  it 
merely  means  that  the  problem  becomes  easier  (at  least  for  currently  known 
algorithms) . In  any  case,  this  explains  why  prime  order  groups  are  desirable. 

A second  motivation  for  using  prime  order  groups  is  because  finding  a gen- 
erator in  such  groups  is  trivial,  as  is  testing  whether  a given  element  is  a 
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generator.  This  follows  from  Corollary  7.52,  which  says  that  every  element 
of  a prime  order  group  (except  the  identity)  is  a generator.  Even  though  it  is 
possible  to  find  a generator  of  an  arbitrary  cyclic  group  in  probabilistic  poly- 
nomial time  (see  Appendix  B.3),  using  a prime-order  group  can  potentially 
yield  a more  efficient  algorithm  Q (which,  recall,  needs  to  compute  a generator 
g of  the  group  G that  it  outputs). 

For  some  cryptographic  constructions,  the  proof  of  security  requires  com- 
puting multiplicative  inverses  of  certain  exponents  (we  will  see  an  example  in 
Section  7.4.2).  When  the  group  order  is  a prime  q,  any  non-zero  exponent 
will  be  invertible  modulo  q,  enabling  this  computation  to  be  possible. 

A final  reason  for  working  with  prime-order  groups  applies  in  situations 
when  the  deeisional  Diffie-Hellman  problem  should  be  hard.  Fixing  a group 
G with  generator  g,  the  DDH  problem  boils  down  to  distinguishing  between 
tuples  of  the  form  (/ii, /i2,  DH^(/ii, /i2))  for  random  hi,h2i  and  tuples  of  the 
form  (/ii,/i2,y),  for  random  h\,h2,y-  A necessary  condition  for  the  DDH 
problem  to  be  hard  is  that  DH^(/ii,/i2)  by  itself  should  be  indistinguishable 
from  a random  group  element.  It  seems  that  it  would  be  best  if  DH^(/ii,  h2) 
actually  were  a random  group  element  when  h\  and  h2  are  chosen  at  random.^ 
We  show  that  when  the  group  order  q is  prime,  this  is  (almost)  true.  In  order 
to  see  this,  we  first  prove  the  following: 


PROPOSITION  7.61  Let  G be  a group  of  prime  order  q with  generator  g . 
If  Xi  and  X2  are  chosen  uniformly  at  random  from  Zg,  then 


Pr[DH5(S**,S«)  = l] 


and  for  any  other  value  y E G,  y 1: 


Pr[DH^(s*-,9-=)  = j/] 


PROOF  We  use  the  fact  that  DHg(g^^ , g^^)  = Since  q is 

prime,  [xi  ■ X2  mod  g']  = 0 if  and  only  if  either  x\  = 0 or  0:2  = 0.  Because  x\ 
and  X2  are  uniformly  distributed  in  Zg, 

Pr[DHg(y"^S  y-^)  = 1]  = Pr[m  = 0 V 0:2  = 0] 

1 
Q 


^It  is  important  to  keep  in  mind  the  distinction  between  the  distribution  of  DHg  (hi , h,2),  and 
the  distribution  of  DHg(hi,  ^2)  conditioned  on  the  given  values  of  hi.  h2.  Since  DHg(hi , ^2) 
is  a deterministic  function  of  h\  and  /i2,  the  latter  distribution  puts  probability  1 on  the 
correct  answer  DHg(hi,h2)  and  is  thus  far  from  uniform.  We  are  interested  here  in  the 
distribution  of  DHg(hi,h2)  when  hi,h2  are  random  and  unknown. 


= 1 - Pr[rri  0]  • Pr[a:2  0]  = 1 — ^ 
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Fix  any  y G G,  y 1,  and  let  x = log^  U 7^  Note  that  DV\g{g^^ , g^^)  = y 
if  and  only  if  X\X2  = x mod  q.  Since  q is  prime,  all  non-zero  elements  of  Zg 
have  a multiplicative  inverse  modulo  q,  and  so  X\X2  = x mod  q if  and  only  if 
Xi  is  non-zero  and  X2  ~ ^ mod  q.  So: 

Pr[DHg(y^Ny®2)  = y]  = Pr[xiX2  = x mod  q] 

= Pr  [x2  — X ■ (xi)~^  mod  q \ x\  0\  ■ Pr[a:i  ^ 0] 


as  claimed.  I 

We  now  compare  this  to  the  uniform  distribution  over  G.  A uniformly- 
distributed  element  y'  has  Pr[y'  = y]  = 1/q  for  all  y G G (i.e.,  including  when 
y = 1).  When  ||y||  = n (and  so  q = 0(2”))  the  above  proposition  says  that 
for  uniformly-distributed  h\  and  /i2 

Pr[DHg(/ii, A2)  = y]  = ~ ± negl(n). 

In  this  sense,  DHg(/ii,  /i2)  is  close  to  uniform  in  G.  The  above  notwithstand- 
ing, we  stress  that  using  a group  of  prime  order  is  neither  necessary  nor 
sufficient  for  the  DDH  problem  to  be  hard  (indeed,  the  DDH  problem  is  easy 
in  the  additive  group  Zp  for  a prime  p).  Instead,  it  should  merely  be  viewed 
as  an  additional,  heuristic  reason  why  prime-order  groups  are  preferred. 

7.3.3  Working  in  (Subgroups  of)  Z* 

Groups  of  the  form  Z* , for  a prime  p,  give  one  class  of  cyclic  groups  in  which 
the  discrete  logarithm  problem  is  believed  to  be  hard.  Concretely,  let  Q\  be 
an  algorithm  that,  on  input  1”,  chooses  a random  n-bit  prime  p,  and  outputs 
p and  the  group  order  y = p — 1 along  with  a generator  y of  Z*.  (Section  7.2,1 
discusses  efficient  algorithms  for  choosing  a random  prime,  and  Appendix  B.3 
shows  how  to  efficiently  find  a generator  of  Z*.)  Then  it  is  conjectured  that 
the  discrete  logarithm  problem  is  hard  relative  to  ^1.  - 

The  cyclic  group  Z*  (for  p > 3 prime)  does  not-  have  prime  order.  (The 
preference  for  groups  of  prime  order  was  discussed  in  the  previous  section.) 
More  problematic,  the  decisional  Diffie-Hellman  problem  is  simply  not  hard 
in  such  groups  (see  Exercise  11.10  of  Chapter  11),  and  they  are  therefore 
unacceptable  for  the  cryptographic  applications  we  will  explore  in  Chapters  9 
and  10. 

Thankfully,  these  problems  can  be  addressed  relatively  easily  by  using  an 
appropriate  subgroup  of  Z*.  Say  an  element  y E Z*  is  a.  quadratic  residue 
modulo  p if  there  exists  an  x E Z*  such  that  x^  = y mod  p.  It  is  not  hard 
to  show  that  the  set  of  quadratic  residues  modulo  p forms  a subgroup  of  Z* . 
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Moreover,  when  p is  prime  it  can  be  shown  that  squaring  modulo  p is  a two- 
to-one  function,  implying  that  exactly  half  the  elements  of  Z*  are  quadratic 
residues.  See  Section  11.1.1  for  a proof  of  this  fact  as  well  as  further  discussion 
of  quadratic  residues  modulo  a prime  p. 

If  p is  a strong  prime  — i.e.,  p = 2q  1 with  q prime  — then  the  subgroup 
of  quadratic  residues  modulo  p has  exactly  (p—  l)/2  = q elements.  Since  q 
is  prime.  Corollary  7.52  shows  that  this  subgroup  is  cyclic  and  furthermore 
all  elements  of  this  subgroup  (except  the  identity)  are  generators.  For  com- 
pleteness, we  sketch  an  appropriate  polynomial-time  algorithm  Q2  that  follows 
easily  from  the  above  discussion. 


ALGORITHM  7.62 

A group  generation  algorithm  ^2 

Input;  Security  parameter 

Output:  Cyclic  group  G,  its  order  g,  and  a generator  g 
generate  a random  (n  l)-bit  strong  prime  p 

q ~ (p  _ l)/2 

choose  an  arbitrary  x G Zp  with  x ^ ±1  mod  p and  set  g :=  mod  p 
return  p,  q,  g 


Note  that  p serves  as  a description  of  the  group  G of  quadratic  residues  mod- 
ulo p.  The  DDH  problem  is  believed  to  be  hard  for  Q2  as  above. 

The  strong  prime  p can  be  generated  as  described  in  Section  7.2.1.  Note 
that  g is  computed  in  such  a way  that  it  is  guaranteed  to  be  a quadratic 
residue  modulo  p with  p 7^  1 , and  so  g will  be  a generator  of  the  subgroup  of 
quadratic  residues  modulo  p. 

7.3.4  * Elliptic  Curve  Groups 

The  groups  we  have  seen  thus  far  have  all  been  based  on  modular  arith- 
metic. Another  interesting  class  of  groups  is  those  consisting  of  points  on 
elliptic  curves.  Such  groups  are  used  in  cryptographic  applications  since,  in 
contrast  to  Z*,  there  is  currently  no  known  sub-exponential  time  algorithm 
for  solving  the  discrete  logarithm  problem  in  such  groups.  (See  Chapter  8 for 
further  discussion.)  Although  elliptic  curve  groups  are  important  in  practical 
applications  of  cryptography,  our  treatment  of  such  groups  in  this  book  is 
(unfortunately)  scant  for  the  following  reasons: 

1.  The  mathematics  required  for  a deeper  understanding  of  elliptic  curve 
groups  is  more  than  we  were  willing  to  assume  on  the  part  of  the  reader. 
Our  treatment  of  elliptic  curves  is  therefore  rather  minimal  and  sacri- 
fices generality  in  favor  of  simplicity.  The  reader  interested  in  further 
exploring  this  topic  is  advised  to  consult  the  references  at  the  end  of  the 
chapter.  , 


Number  Theory  and  Cryptographie  Hardness  Assumptions 


283 


2.  Most  cryptographic  schemes  based  on  elliptic-curve  groups  (and  all  the 
schemes  in  this  book)  can  be  analyzed  and  understood  by  treating  the 
underlying  group  in  a completely  generic  fashion,  without  reference  to 
any  particular  group  used  to  instantiate  the  scheme.  For  example.,  we 
will  see  in  later  chapters  cryptographic  schemes  that  can  be  based  on  ar- 
bitrary cyclic  groups  (possibly  of  prime  order);  these  schemes  are  secure 
as  long  as  some  appropriate  computational  problem  in  the  underlying 
group  is  “hard”.  Prom  the  perspective  of  provable  security,  then,  it 
makes  no  difference  how  the  group  is  actually  instantiated  (as  long  as 
the  relevant  computational  problem  is  believed  to  be  hard  in  the  group). 
Of  course,  when  it  comes  time  to  implement  the  scheme  in  practice,  the 
concrete  choice  of  which  underlying  group  to  use  is  of  fundamental  im- 
portance. 

We  now  proceed  with  our  brief  treatment  of  elliptic  curves.  Let  p > 5 be  a 
prime."^  Consider  an  equation  E in  the  variables  x and  y of  the  form; 

y“^  = + Ax  -|-  B mod  p,  (7-1) 

where  A,B^Tjp  are  constants  with  4A^  + 27 B^  7^  0 mod  p (this  latter  con- 
dition ensures  that  the  equation  x^  -|-  Ax  B = 0 mod  p has  no  repeated 
roots).  Let  E^Zp)  denote  the  set  of  pairs  {x,  y)  G Zp  x Zp  satisfying  the  above 
equation;  i.e.. 


E{Tjp)  I (a;,  y)  | x,  y G Zp  and  y^  = -f-  Ax  -|-  B mod  p}  . 

Define  E{Zp)  E{Zp)  U {O},  where  O is  a special  value  whose  purpose  we 
will  discuss  shortly.  The  elements  of  the  set  £"(Zp)  are  called  the  points  on 
the  elliptic  curve  E defined  by  Equation  (7.1),  and  O is  called  the  “point  at 
infinity.” 


Example  7.63 

Recall  that  an  element  y G Z*  is  a quadratic  residue  modulo  p if  there  exists 
an  X G Zp  such  that  x^  = y mod  p ; we  say  that  x is  a square  root  of  y in  this 
case.  Furthermore,  when  p > 2 is  prime,  every  quadratic  residue  modulo  p 
has  exactly  two  square  roots.  (See  Section  11.1.1  for  further  discussion.) 

Let  /(x)  x^  -|-  3x  -|-  3 and  consider  the  curve  E : y‘^  = /(x)  mod  7.  Each 
value  of  X for  which  /(x)  is  a quadratic  residue  modulo  7 yields  two  points  on 
the  curve,  values  x for  which  /(x)  is  a non-quadratic  residue  are  not  on  the 


^The  theory  can  be  adapted  to  deal  with  the  case  of  p = 2 or  3 but  this  introduces 
additional  complications.  For  the  advanced  reader,  we  mention  that  elliptic  curves  can  in 
fact  be  defined  over  arbitrary  (finite  or  infinite)  fields,  and  the  discussion  here  carries  over 
to  fields  of  characteristic  not  equal  to  2 or  3. 
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FIGURE  7.2:  An  elliptic  curve  over  the  reals. 


curve,  and  values  of  x for  which  f{x)  =0  mod  7 give  one  point  on  the  curve. 
This  allows  us  to  determine  the  points  on  the  curve: 

/(O)  = 3 mod  7,  a quadratic  non-residue  modulo  7. 

/(I)  = 0 mod  7,  so  we  obtain  the  point  (1,  0)  G E{'L-r). 

f(2)  = 3 mod  7,  a quadratic  non-residue  modulo  7. 

/(3)  = 4 mod  7,  a quadratic  residue  modulo  7 with  square  roots  2 and 
5.  This  yields  the  points  (3,2),  (3,  5)  G E{Zr):  ' 

/(4)  = 2 mod  7,  a quadratic  residue  modulo  7 with  square  roots  3 and 
4.  This  yields  the  points  (4,3),  (4,4)  G E{Z-r). 

/(5)  = 3 mod  7,  a quadratic  non-residue  modulo  7. 

/(6)  = 6 mod  7,. a quadratic  non-residue  modulo  7. 

Including  the  point  at  infinity,  there  are  6 points  in  E{7jt).  <C> 

A useful  way  to  conceptualize  E{^p)  is  to  look  at  the  graph  of  Equation  (7.1) 
Over  the  reals  (i.e.,  the. equation  = x^+Ax+B  without  reduction  modulo  p) 

as  in  Figure  7.2.  This  figure  does  not  correspond  exactly  to  E(Zp)  because, 
for  example,  E{Zp)  has  a finite  number  of  points  (Zp  is,  after  all,  a finite 
set)  while  there  are  an  infinite  number  of  solutions  to  the  same  equation  if 
we  allow  X and  y to  range  over  all  real  numbers.  Nevertheless,  the  picture 
provides  useful  intuition.  In  such  a figure,  one  can  think  of  the  “point  at 
infinity”  O as  sitting  at  the  top  of  the  p-axis  and  lying  on  every  vertical  line. 

It  can  be  shown  that  every  line  intersecting  the  curve  E intersects  the  curve 
in  exactly  3 points,  where:  (1)  a point  P is  counted  twice  if  the  line  is  tangent 
to  the  curve  at  P,  and  (2)  the  point  at  infinity  is  also  counted  (when  the  line 
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is  vertical).  This  fact  is  used  to  define  a binary  operation,  called  ‘addition’ 
and  denoted  by  ‘+,’  on  points  of  E{Zp)  in  the  following  way:^ 

• The  point  O is  defined  as  an  (additive)  identity;  that  is,  for  all  P G E(Z„) 
we  define  P + O = 0 + P = P. 

• If  Pi,  P2,  T*3  are  co- linear  points  on  P then  we  require  that 

Pi  -f  P2  + P3  = O.  (7.2) 

(This  disregards  the  ordering  of  Pi , P2 , P3 , implying  that  addition  is 
commutative  for  all  points,  and  associative  for  co-linear  points.) 

Rules  for  negation  and  addition  of  arbitrary  points  follow  from  the  above. 

Negation.  Given  a point  P,  the  negation  — P is  (by  definition  of  negation) 
that  point  for  which  P+(— P)  = O.  li  P = O then  — P = O.  Otherwise,  since 
P + (— P)  + O = (P  + (— P))  + 0 = 0 + 0 = 0 we  see,  using  Equation  (7.2), 
that  — P corresponds  to  the  third  point  on  the  line  passing  through  P and 
O or,  equivalently,  the  vertical  line  passing  through  P.  As  can  be  seen  by 
looking  at  Figure  7.2,  this  means  that  — P is  simply  the  reflection  of  P in  the 
a;-axis;  that  is,  if  P = {x,  y)  then  — P = {x,  —y). 

Addition  of  points.  For  two  arbitrary  points  Pi,P2  7^  O on  E,  we  can 
evaluate  their  sum  Pi  + P2  by  drawing  the  line  through  Pi , P2  (if  Pi  = P2  then 
draw  the  line  tangent  to  P at  Pi ) and  finding  the  third  point  of  intersection  P3 
of  this  line  with  E;  the  third  point  of  intersection  may  be  P3  = (9  if  the  line  is 
vertical.  Equation  (7.2)  implies  that  Pi  P2  + P3  = O,  or  Pi  + P2  = — P3.  If 
Pg  = O then  Pi  + P2  = —O  = O.  Otherwise,  if  the  third  point  of  intersection 
of  the  line  through  Pi  and  P2  is  the  point  P3  = {x,  y)  O then 

El  + P2  = -P3  = {x,  -y). 

Graphically,  Pi  + P2  can  be  found  by  finding  the  third  point  of  intersection 
of  E and  the  line  through  Pi  and  P2,  and  then  reflecting  in  the  x-axis. 

It  is  straightforward,  but  tedious,  to  work  out  the  addition  law  concretely. 
Let  Pi  = {x\,y\)  and  P2  = (^2,^2)  be  two  points  in  E{Zp),  with  Pi,  P2  ^ O 
and  E as  in  Equation  (7.1).  To  keep  matters  simple,  suppose  Xi  7^  X2  (the 
extension  to  the  case  Xi  = X2  is  still  straightforward  but  even  more  tedious). 
The  slope  of  the  line  through  these  points  is 

_ 2/2 -2/1  , 
m = mod  p ; 

X2  — Xi 

our  assumption  that  x\  7^  X2  means  that  X2  — X1  7^  0 mod  p and  so  the  inverse 
of  {x2  — xi)  modulo  p exists.  The  line  passing  through  Pi  and  P2  has  the 
equation 

y = m • {x  — xi)  + yi  mod  p . 


’Our  approach  is  informal,  and  we  do  not  justify  that  it  leads  to  a consistent  definition. 
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To  find  the  third  point  of  intersection  of  this  line  with  E,  substitute  the  above 
into  the  equation  for  E to  obtain 

• {x  — xi)  + yi^  = x^  + Ax  + B mod  p. 

The  values  oi x that  satisfy  this  equation  are  X\,  X2,  and.[m^  — —X2  mod  p]. 

The  first  two  solutions  correspond  to  the  original  points  Pi  and  P2 , while  the 
third  is  the  x-coordinate  of  the  third  point  of  intersection  P3.  The  p- value 
corresponding  to  this  third  value  of  x is  p = [m  ■ {x  — Xi)  + yi  modp].  That 
is,  P3  = (x3,p3)  where 

0:3  = [m^  — xi  — X2  mod  p]  and  ys  = [m  ■ {xs  — Xi)  + yi  mod  p]. 

To  obtain  the  desired  answer  Pi  + P2 , it  remains  only  to  take  the  negation  of 
P3  (or,  equivalently,  reflect  P3  in  the  x-axis)  giving: 


PROPOSITION  7.64  Let  p > 5 be  prime,  and  P\  = {xi,yi)  and  P2  = 
(x2,y2)  be  points  on  the  elliptic  curve  y“^  = x^  + Ax+ B mod  p with  P\,  P2  ^ O 
and  X\  ^ X2-  Then  P\  + P2  = (2:3, ps)  with 

Xz  = [m^  — xi  — X2  mod  p]  and  2/3  = [m  • {x\  — X3)  — yi  modp]. 


where  m = 


^ mod  p . 

X2  — X\  ^ 


For  completeness,  we  state  the  addition  law  for  points  not  covered  by  the 
above  proposition. 

PROPOSITION  7.65  Let  p > 5 6e  prime,  and  P\  = {xi,yi)  and  P2  = 
(iC2, 2/2)  be  points  on  ihv  elliptic  curve  y^  = x^-{-Ax+B  mod  p with  Pi,  P2  ^ O. 

1.  If  xi  = X2  but  2/1  2/2  then  Pi  = —P2  and  so  Pi  + P2  = O . 


2.  If  Pi  = P2  and  yi  = 0 then  Pi  + P2  = 2Pi  — O. 

3.  If  Pi  = P2  and  2/1  0 then  Pi  + P2  = (ics,  2/s)  with 

X3  = [m^  — 2a;i  modp]  and  2/3  = [m.-  (xi  — X3)  — 2/1  modp]. 


where  m = 


3x?+A  1 

^7-  modp 


Somewhat  amazingly,  it  can  be  shown  the  set  of  points  E{'Lp)  along  with 
the  addition  rule  defined  above  form  an  abelian  group!  Actually,  we  have 
already  seen  almost  all  the  necessary  properties:  closure  under  addition  follows 
from  the  fact  (not  proven  here)  that  any  line  intersecting  E has  three  points 
of  intersection;  O acts  as  the  identity;  each  point  on  E{'Lp)  has  an  inverse 
in  E{Tjp);  and  commutativity  of  addition  follows  from  Equation  (7.2).  The 
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difficult  property  to  verify  is  associativity,  which  the  disbelieving  reader  can 
check  through  tedious  calculation.  A more  illuminating  proof  that  does  not 
involve  explicit  calculation  relies  on  algebraic  geometry. 

In  typical  cryptographic  applications,  parameters  of  the  elliptic  curve  are 
chosen  in  such  a way  that  the  group  E{Tjp)  (or  a subgroup  thereof)  is  of  prime- 
order,  and  hence  a cyclic  group.  Efficient  methods  for  doing  so  are  beyond 
the  scope  of  this  book. 


7.4  Cryptographic  Applications  of  Number-Theoretic  As- 
sumptions 

We  have  spent  a fair  bit  of  time  discussing  number  theory  and  group  theory, 
and  introducing  computational  hardness  assumptions  that  are  widely  believed 
to  hold.  Applications  of  these  assumptions  will  occupy  us  for  the  rest  of  the 
book,  but  we  provide  some  brief  examples  here. 

7.4.1  One-Way  Functions  and  Permutations 

One-way  functions  are  the  minimal  cryptographic  primitive,  and  they  are 
both  necessary  and  sufficient  for  all  the  private-key  constructions  we  have  seen 
in  Chapters  3 and  4.  A more  complete  discussion  of  the  role  of  one-way  func- 
tions in  cryptography  is  given  in  Chapter  6;  here  we  only  provide  a definition 
of  one-way  functions  and  demonstrate  that  their  existence  follows  from  all  the 
number-theoretic  hardness  assumptions  we  have  seen  in  this  chapter. 

Informally,  a function  / is  one-way  if  it  is  easy  to  compute  but  hard  to 
invert.  The  following  experiment  and  definition  is  a formal  statement  of  this 
(and  is  a re-statement  of  Definition  6.1): 

The  inverting  experiment  Invert^j(n): 

. 1.  Choose  input  x ■«—  {0, 1}”.  Compute  y :=  f{x). 

2.  A is  given  1"^  and  y as  input,  and  outputs  x'. 

5.  The  output  of  the  experiment  is  defined  to  he  1 if  and  only  if 
■'fix')  =y- 

DEFINITION  7.66  A function  f : {0, 1}*  — ^ {0, 1}*  is  one-way  if  the 
following  two  conditions  hold: 

1.  (Easy  to  compute:)  There  exists  a polynomial-time  algorithm  that  on 
input  X outputs  f{x). 

2.  (Hard  to  invert:)  For  all  probabilistic  polynomial-time  algorithms  A 
there  exists  a negligible  function  negl  such  that 

Pr[lnvert^j(n)  = 1]  < negl(n). 
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We  now  show  formally  that  the  factoring  assumption  implies  the  existence 
of  a one-way  function.  Let  Gen  be  a polynomial-time  algorithm  that,  on 
input  1”,  outputs  {N,p,  q)  where  N = pq  and  p and  q are  n-bit  primes  except 
with  probability  negligible  in  n.  (We  use  Gen  rather  than  GenModulus  here 
purely  for  notational  convenience.)  Since  Gen  runs  in  polynomial  time,  there 
exists  a polynomial  p such  that  the  number  of  random  bits  the  algorithm  uses 
on  input  1”  is  at  most  p{n).  For  simplicity,  assume  that  Gen  always  uses 
exactly  p{n)  bits  on  input  l’^,  and  further  that  p{n)  is  strictly  increasing.  In 
Algorithm  7.67  we  define  a function  /cen  that  uses  its  input  as  a random  tape 
for  Gen.  Since  the  hardness  of  inverting  a one-way  function  is  only  required 
for  random  inputs,  we  are  able  to  interpret  the  input  as  a random  tape  and 
the  generation  algorithm  will  have  the  required  properties.  Thus,  although 
the  algorithm  for  computing  /cen  runs  Gen  as  a subroutine,  it  is  actually 
deterministic,  as  required.  (The  computation  of  n based  on  the  length  of 
the  input  x is  a technicality  that  is  needed  to  make  sure  that  Gen  receives  a 
random  tape  of  the  appropriate  length.) 


ALGORITHM  7.67 

Algorithm  computing  /cen 

Input:  String  x 
Output:  String  N 

compute  n such  that  p{n)  < \x\  < p{n  -f- 1) 
compute  (N,p,q)  :=  Gen(l 

/*  i.e.,  run  Gen(l”)  using  x as  the  random  tape  ♦/ 

return  N 


If  the  factoring  problem  is  hard  relative  to  Gen  then,  intuitively,  /cen  is  a 
one-way  function.  Certainly  /cen  is  easy  to  compute.  As  for  the  hardness  of 
inverting  this  function,  for  any  n'  the  following  distributions  are  identical: 

1.  The  modulus  N output  by  /cen(a^),  when  x G {0, 1}”'  is  chosen  according 
to  the  uniform  distribution. 

2.  The  modulus  N output  by  the  randomized  process  in  which  Gen(l”)  is 
run  to  obtain  N.  Here,  n satisfies  p{n)  < n'  < p{n  +1). 

Since  moduli  N chosen  according  to  the  second  distribution  are  hard  to  fac- 
tor, the  same  holds  for  moduli  N chosen  according  to  the  first  distribution. 
Moreover,  given  any  x for  which  fcenix)  = N,  it  is  easy  to  recover  a factor 
of  W (by  running  Gen(l^;x)  to  obtain  (N,p,q)  and  outputting  the  factors  p 
and  q).  Thus,  inverting  /cen  and  finding  such  an  x is  as  hard  as  factoring.  We 
therefore  have  the  following  theorem  (a  formal  proof  follows  fairly  easily  from 
what  we  have  said): 
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THEOREM  7.68  If  the  factoring  problem  is  hard  relative  to  Gen,  then 
fQ^n  is  a one-way  function. 

A corollary  is  that  hardness  of  the  RSA  problem  implies  the  existence  of  a 
one-way  function  (this  follows  from  the  fact  that  hardness  of  RSA  implies  that 
factoring  is  hard,  at  least  when  Gen  RSA  is  constructed  as  in  Algorithm  7.47). 

* One-Way  Permutations 

We  have  seen  that  one-way  functions  exist  if  the  RSA  problem  is  hard. 
However,  the  RSA  problem  actually  gives  us  something  much  stronger:  a 
family  of  one-way  permutations.  (The  material  from  here  until  the  end  of 
this  section  is  needed  for  Section  10.7  and  will  be  meaningful  to  those  who 
have  studied  Chapter  6;  otherwise,  it  may  be  skipped.)  We  begin  with  a 
re-statement  of  Definitions  6.3  and  6.4: 

DEFINITION  7.69  A tupleU  = (Gen,  Samp,/)  of  probabilistic  polynomial- 
time algorithms  is  a family  of  functions  if  the  following  hold: 

1.  T/ie  para  meter  generation  algorithm  Gen,  on  input  1”,  outputs  parameters 
I with  |/|  >n.  Each  value  of  I output  by  Gen  defines  setsT>i  and  IZj  that 
constitute  the  domain  and  range,  respectively,  of  a function  fj  defined 
below. 

2.  The  sampling  algorithm  Samp,  on  input  I,  outputs  a uniformly  distributed 
element  of  T>i  {except  possibly  with  probability  negligible  in  |/|). 

3.  The  deterministic  evaluation  algorithm  ./,  on  input  I andx  G T>i,  outputs 
an  element  y G IZi.  We  write  this  as  y fi{x). 

n is  a family  of  permutations  if,  for  each  value  of  I output  by  Gen(l”),  it  holds 
that  ID  I = 77.  j and  the  function  //  : T>i  —>■  T>i  is  a bijection. 

Due  to  the  last  condition,  when  H is  a family  of  permutations,  choosing 
X T>i  uniformly  at  random  and  setting  y fi{x)  results  in  a value  of  y 
that  is  uniformly  distributed  in  D/. 

Given  a family  of  functions  H,  consider  the  following  experiment  for  any 
algorithm  A and  parameter  n: 

The  inverting  experiment  Invert^^n(^): 

1.  Gen(l’^)  is  run  to  obtain  I,  and  then  Samp(/)  is  run  to  obtain 
a random  x T>i.  Finally,  y :=  fi{x)  is  computed. 

2.  A is  given  I and  y as  input,  and  outputs  x' . 

3.  The  output  of  the  experiment  is  defined  to  be  1 if  fi{x')  = y, 
and  0 otherwise. 
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DEFINITION  7.70  A family  of  functions /permutations  II  = (Gen,  Samp, 
/)  is  one-way  if  for  all  probabilistic  polynomial-time  algorithms  A there  exists 
a negligible  function  negl  such  that 

Pr[lnvert^^n(^)  = l]  < negl(n). 

Given  GenRSA  as  in  Section  7.2.4,  Construction  7.71  defines  a family  of 
permutations.  It  is  immediate  that  if  the  RSA  problem  is  hard  for  GenRSA 
then  this  family  is  in  fact  one-way.  It  can  similarly  be  shown  that  hardness 
of  the  discrete  logarithm  problem  in  Z*,  with  p prime,  implies  the  existence 
of  a one-way  permutation  family;  see  Exercise  7.20. 


CONSTRUCTION  7.71 

Let  GenRSA  be  as  in  Section  7.2.4.  Define  a family  of  permutations  as 
follows: 

• Gen:  on  input  1”,  run  GenRSA(l”)  to  obtain  {N,e,d)  and  output 
I = (N,e).  Set  Vi  = 

• Samp:  on  input  / = {N,  e),  choose  a random  element  of  Z%[. 

• /:  on  input  I = {N,  e)  and  x G Z%[,  output  [x^  mod  A^]. 

A family  of  one-way  permutations  (assuming  the  RSA  problem  is  hard 

relative  to  GenRSA). 


7.4.2  Constructing  Collision-Resistant  Hash  Functions 

Collision-resistant  hash  functions  were  introduced  in  Section  4.6.  Although, 
as  discussed  in  that  section,  there  exist  heuristic  constructions  of  collision- 
resistant  hash  functions  that  are  used  widely  in  practice,  we  have  not  yet  seen 
any  constructions  of  such  hash  functions  that  can  be  proven  secure  under 
more  basic  assumptions.  (In  particular,  no  such  constructions  were  shown  in 
Chapter  6.  In  fact,  there  is  evidence  that  constructing  collision-resistant  hash 
functions  from  arbitrary  one-way  functions  or  permutations  is  impossible) 

We  show  now  a construction  of  a collision-resistant  hash  function  based 
on  the  discrete  logarithm  assumption  in  prime-order  groups.  A second  con- 
struction based  on  the  RSA  problem  is  described  in  Exercise  7.21.  Although 
these  constructions  are  less  efficient  than  the  hash  functions  used  in  practice, 
they  are  important  since  they  illustrate  the  feasibility  of  achieving  collision 
resistance  based  on  standard  and  well-studied  cryptographic  assumptions. 

As  in  Section  7.3.2,  let  ^ be  a polynomial-time  algorithm  that,  on  input  1”^, 
outputs  a (description  of  a)  cyclic  group  G,  its  order  (with  H^lj  = ^),  and 
a generator  g.  As  always,  we  assume  that  the  group  operation  in  G can  be 
computed  efficiently.  Finally,  we  also  require  that  q is  prime  except  possibly 
with  negligible  probability.  (Recall  that  there  is  a general  preference  for  using 
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groups  of  prime  order,  as  discussed  in  Section  7.3.2.)  A fixed-length  hash 
function  based  on  Q is  given  in  Construction  7.72. 


CONSTRUCTION  7.72 

Let  ^ be  as  described  in  the  text.  Define  a fixed-length  hash  function 
(Gen,  H)  as  follows: 

• Gen:  on  input  C,  run  ^(1’^)  to  obtain  (G,q,g)  and  then  select 
h -t—  G.  Output  s :=  (G,  q,  g,  h)  as  the  key. 

• H:  given  a key  s = (G,  g,  g,  h)  and  input  {xi,X2)  G Zg  x Zq,  output 

, H^{xi,X2)  :=  g^^h^T  _ 

A fixed-length  hash  function. 

Note  that  Gen  and  H can  be  computed  in  polynomial  time.  Before  contin- 
uing with  an  analysis  of  the  construction,  we  make  some  technical  remarks: 

• For  a given  s = {G,q,g,h}  with  n = ||g||,  the  function  is  described 

as  taking  elements  of  Zg  x Zg  as  input.  However,  can  be  viewed 
as  taking  bit-strings  of  length  2 • (n  — 1)  as  input  if  we  parse  inputs 
X G {0,  as  two  strings  x±,X2  each  of  length  n — 1,  and  then  view 

each  of  xi,X2  as  an  element  of  Zg  in  the  natural  way. 

• The  output  of  is  similarly  specified  as  being  an  element  of  G,  but 
we  can  view  this  as  a bit-string  if  we  fix  some  representation  of  G.  To 
satisfy  the  requirements  of  Definition  4.12  (which  requires  the  output 
length  to  be  fixed  as  a function  of  n)  we  can  pad  the  output  as  needed. 

® Given  the  above,  the  construction  only  compresses  its  input  for  certain 
groups  G (specifically,  when  elements  of  G can  be  represented  using 
fewer  than  2n  — 2 bits).  As  shown  in  Exercise  7.19,  compression  can 
be  achieved  when  using  subgroups  of  Z*  of  the  type  discussed  in  Sec- 
tion 7.3.3.  A generalization  of  Construction  7.72  can  be  used  to  obtain 
compression  from  any  Q for  which  the  discrete  logarithm  problem  is 
hard,  regardless  of  the  number  of  bits  required  to  represent  group  ele- 
ments; see  Exercise  7.22. 

THEOREM  7.73  If  the  discrete  logarithm  problem  is  hard  relative  to 
Q,  then  Construction  1.72  is  a fixed-length  collision-resistant  hash  function 
(subject  to  the  discussion  regarding  compression,  above). 

PROOF  Let  n = (Gen,  H)  as  in  Construction  7.72,  and  let  ^ be  a proba- 
bilistic polynomial-time  algorithm  with 

e{n)  Pr[Hash-coll^_n(^)  = 1] 
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(cf.  Definition  4.12).  We  show  how  A can  be  used  by  an  algorithm  A'  to  solve 
the  discrete  logarithm  problem  with  success  probability  £{n): 

Algorithm  A': 

The  algorithm  is  given  G,  /i  as  input.  , . 

1.  Let  s :=  {G,q,g,h).  Run  A(s)  and  obtain  output  x and  x'. 

2.  X A and  H^{x)  = H^{x')  then: 

(a)  If  /i  = 1 return  0 

(b)  Otherwise  {h  A 1))  parse  x as  {x\,X2)  and  parse  x'  as 
{x[,X2).  Return  [(a:i  — x'A)  ■ {x'2  — X2)~^  mod  q] . 

Clearly,  A'  runs  in  polynomial  time.  Furthermore,  the  input  s given  to  A when 
run  as  a subroutine  by  A'  is  distributed  exactly  as  in  experiment  Hash-coll^,n 
for  the  same  value  of  the  security  parameter  n.  (The  input  to  A'  is  generated 
by  running  ^(1”)  to  obtain  G,q,g  and  then  choosing  /i  E G uniformly  at 
random.  -This  is  exactly  how  s is  generated  by  Gen(l”).)  So,  with  probability 
exactly  £{n)  there  is  a collision:  i.e.,  x A and  H^{x)  = H^{x'). 

We  claim  that  whenever  there  is  a collision.  A'  returns  the  correct  answer 
\oggh.  If  /i  = 1 then  this  is  clearly  true  (since  log^h  = 0 in  this  case). 
Otherwise,  the  existence  of  a collision  means  that 

. H%xi,x.2)  = H^{x[,x'2)  g^^h^^  = g^'^h^k  ....  • 

(7.3) 

Let  A x'2  — X2-  Note  that  A 7^  0 mod  q since  this  would  imply  that 
[(a:i  — x'l)  mod  q]  = 0,  but  then  x = (xi,X2)  — {x'i,X2)  = x'  in  contradiction 
to  the  assumption  that  x A ■ Since  q is  prime  and  A 7^  0 mod  q,  the  inverse 
[A~^  mod  q]  exists.  Raising  each  side  of  Equation  (7.3)  to  this  power  gives: 

and  so 

■( 

log^  h = [(a:i  — x'i)A~^  mod  q]  = [(a:i  — x[)  ■ {x'2  — X2)~^  mod  q]  , 
the  output  returned  by  A' . 

We  see  that  A'  correctly  solves  the  discrete  logarithm  problem  with  prob- 
ability exactly  £(n).  Since,  by  assumption,  the  discrete  logarithm  problem  is 
hard  relative  to  Q,  we  conclude  that  £{n)  is  negligible.  I 
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Using  Exercise  7.22  in  combination  with  the  Merkle-Damgard  transform 
(see  Section  4.6.4),  we  have  the  following  theorem: 


THEOREM  7.74  If  there  exists  a probabilistic  polynomial-time  algorithm 
Q relative  to  which  the  discrete  logarithm  problem  is  hard,  then  there  exists  a 
collision  resistant  hash  function. 
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Exercises 

7.1  Let  G be  an  abelian  group.  Prove  that  there  is  a unique  identity  in  G, 
and  that  every  element  ^ 6 G has  a unique  inverse. 

7.2  Show  that  Proposition  7.36  does  not  necessarily  hold  when  G is  infinite. 

Hint:  Consider  the  set  {1}  U {2,  4,  6,  8, . . .}  C M. 

7.3  Let  G be  a finite  group,  and  ^ G G.  Show  that  (g)  is  a subgroup  of  G. 

Is  the  set  necessarily  a subgroup  of  G when  G is  infinite? 

7.4  This  question  concerns  the  Euler  phi  function. 

(a)  Let  p be  a prime  and  e > 1 an  integer.  Show  that 

Hp^)  1)- 

(b)  Let  p,q  be  relatively  prime..  Show  that  (f>{pq)  = (f>{p)  ■ 4>{q)-  (You 
niay  not  use  the  Chinese  remainder  theorem.) 

(c)  Prove  Theorem  7.19. 

7.5  Compute  the  final  two  (decimal)  digits  of  31000  hand). 

9 

Hint:  The  answer  is  mod  100]. 

7.6  Compute  mod  35]  (by  hand).  . 

7.7  Prove,  that  if  G,1HI  are  groups,  then  G x IHI  is  a group. 

7.8  Let  p,  N be  integers  with  p | N . Prove  that  for  any  integer  X, 

[[X  mod  N\  mod  p]  = [X  modpj. 

Show  that,  in  contrast,  [[X  mod  p]  mod  N]  need  not  equal  [X  mod  N]. 

7.9  Complete  the  details  of  the  proof  of  the  Chinese  remainder  theorem, 
showing  that  is  isomorphic  to  Z*  x Z*. 

7.10  Corollary  7.21  shows  that  if  X = p^  and  ed  = 1 mod  0(X)  then  for  all 
X G Z^  we  have  {x^)^  = x mod  N . Show  that  this  holds  for  all  x G Zjv. 

Hint:  Use  the  Chinese  remainder  theorem. 

7.11  This  exercise  develops  an  efficient  algorithm  for  testing  whether  an  in- 
teger is  a perfect  power. 

(a)  Show  that  if  X = X®  for  some  integers  X,  e > 1 then  e < ||X||  + 1. 
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(b)  Given  N and  e with  2 < e < ||A^||  + 1,  show  how  to  determine  in 
poly(||A^||)  time  whether  there  exists  an  integer  N with  iV®  = N. 

Hint:  Use  binary  search. 

(c)  Given  N,  show  how  to  test  in  poly(||A^||)  time  whether  is  a 
perfect  power. 

7.12  Given  N and  a G show  how  to  test  in  polynomial  time  whether  a 
is  a strong  witness  that  N is  composite. 

7.13  Let  N = pq  he  Si.  product  of  two  distinct  primes.  Show  that  if  and 
N are  known,  then  it  is  possible  to  compute  p and  q in  polynomial  time. 

Hint:  Derive  a quadratic  equation  (over  the  integers)  in  the  unknown  p. 

7.14  Let  N = pq  he  Si.  product  of  two  distinct  primes.  Show  that  if  N and  an 
integer  d such  that  3 • d = 1 mod  4){N)  are  known,  then  it  is  possible  to 
compute  p and  q in  polynomial  time. 

Hint:  Obtain  a small  list  of  possibilities  for  0(iV)  and  then  use  the 
previous  exercise. 

7.15  Prove  formally  that  the  hardness  of  the  CDH  problem  relative  to  Q 
implies  the  hardness  of  the  discrete  logarithm  problem  relative  to  Q. 

7.16  Prove  formally  that  the  hardness  of  the  DDH  problem  relative  to  ^ 
implies  the  hardness  of  the  CDH  problem  relative  to  Q. 

7.17  Prove  the  third  statement  in  Proposition  7.65. 

7.18  Determine  whether  or  not  the  following  problem  is  hard.  Let  p be  prime, 
and  fix  a:  G Z*_i . Given  p,  x,  and  y :=  [g^  mod  p\  (where  p is  a random 
value  between  1 and  p — 1),  find  g\  i.e.,  compute  modp.  If  you 
claim  the  problem  is  hard,  show  a reduction  to  one  of  the  assumptions 
introduced  in  this  chapter.  If  you  claim  the  problem  is  easy,  present  an 
algorithm,  justify  its  correctness,  and  analyze  its  complexity. 

7.19  Let  Q be  an  algorithm  that,  on  input  1*^,  outputs  p,  y, g where p = 2q+\ 
is  a strong  prime  and  p is  a generator  of  the  subgroup  of  quadratic 
residues  modulo  p.  (See  Section  7.3.3.)  Show  how  to  obtain  compression 
in  Construction  7.72  for  p large  enough. 

7.20  Let  Q\  be  as  in  Section  7.3.3.  Show  that  hardness  of  the  discrete  loga- 
rithm problem  relative  to  Q\  implies  the  existence  of  a family  of  one-way 
permutations. 

Hint:  Define  a permutation  on  elements  of  Z*. 
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7.21  Let  GenRSA  be  as  in  Section  7.2.4.  Prove  that  if  the  RSA  problem 
is  hard  relative  to  GenRSA  then  Construction  7.75  shown  below  is  a 
fixed-length  collision-resistant  hash  function. 


CONSTRUCTION  7.75 

Define  (Gen,  77)  as  follows: 

• Gen:  on  input  1"^,  run  GenRSA(l"')  to  obtain  N,  e,  d,  and  select 
y -i—  The  key  is  s :=  {N,  e,  y). 

• 77:  if  s = (N,e,y),  then  77®  maps  inputs  in  {0, 1}^”  to  outputs 

in  Let  /o(x)  [x®  mod  N]  and  /f  (x)  [y  ■ x®  mod  N]. 

For  a 3n-bit  long  string  x = xi  • • • xsn,  define 


Hint:  Show  that  the  eth  root  of  y can  be  computed  from  any  collision. 
7.22  Consider  the  generalization  of  Construction  7.72  shown  below. 


CONSTRUCTION  7.76 

Define  a fixed-length  hash  function  (Gen,  77)  as  follows: 

• Gen:  on  input  1”,  run  ^(1"^)  to  obtain  (G,  g,  hi)  and  then  select 
h2, . . . ,ht  <—  G.  Output  s :=  (G,  g,  (hi, . . . , ht))  as  the  key. 

• 77:  given  a key  s = (G,  g,  (hi, . . . , h*))  and  input  (xi, ... . ,,  xt) 
with  Xi  € Zq,  output  77® (xi, . . . , xt)  :=  Ili  • 

• Prove  that  if  the  discrete  logarithm  problem  is  hard  relative  to  G, 
and  q is  prime,  then  the  construction  is  a fixed-length  collision- 
resistant  hash  function  for  any  t = poly(n). 

• Discuss  how  this  construction  can  be  used  to  obtain  compression 
regardless  of  the  number  of  bits  needed  to  represent  elements  of  G 
(as  long  as  it  is  polynomial  in  n). 


* 


Chapter  8 

* Algorithms  for  Factoring  and 
Computing  Discrete  Logarithms 


As  discussed  in  Chapter  7,  there  are  currently  no  known  polynomial-time  al- 
gorithms for  factoring  or  for  computing  discrete  logarithms  in  certain  groups. 
But  this  does  not  mean  that  brute-force  search  is  the  best  available  approach 
for  attacking  these  problems!  Here,  we  survey  some  more  efficient  algorithms 
for  these  problems.  These  algorithms  are  interesting  in  their  own  right,  and 
serve  as  a nice  application  of  some  of  the  number  theory  we  have  already 
learned.  Moreover,  understanding  the  effectiveness  of  these  algorithms  is  cru- 
cial for  choosing  cryptographic  parameters  in  practice.  If  a cryptographic 
scheme  based  on  factoring  is  supposed  to  withstand  adversaries  mounting  a 
dedicated  attack  for  15  years,  then  — at  a minimum!  — the  modulus  N 
used  by  the  scheme  needs  to  be  long  enough  so  that  the  best-known  factoring 
algorithm  will  take  (at  least)  15  years  to  successfully  factor  N . 

Algorithms  for  other  problems.  We  focus  here  on  algorithms  for  factor- 
ing and  computing  discrete  logarithms,  not  on  algorithms  for,  say,  solving 
the  RSA  or  decisional  Diffie-Hellrnan  problems.  This  may  seem  somewhat 
misguided  since  the  latter  are  used  rnuch  more  often  than  the  former  when 
constructing  cryptographic  schemes  and,  as  noted  in  the  previous  chapter,  the 
latter  are  potentially  easier  to  solve  than  the  former.  (That  is,  solving  the 
RSA  problem  is  potentially  easier  than  factoring,  and  solving  the  decisional 
Diffie-Hellrnan  problem  is  possibly  easier  than  computing. discrete  logarithms.) 
Our  focus  is  justified  by  the  fact  that,  currently,  the  best  known  algorithm 
for  solving  RSA  is  to  first  factor  the  modulus,  and  (in  appropriate  groups  as 
discussed  in  Sections  7.3.3  and  7.3.4)  the.  best  known  algorithm  for  solving 
the  decisional  Diffie-Hellrnan  problem  is  to  compute  discrete  logarithms. 


8.1  Algorithms  for  Factoring 

Throughout  this  section,  we  assume  that  N — pq  is  a.  product  of  two  distinct 
primes.  We  will  also  be  most  interested  in  the  case  that  p and  q are  each  of 
the  same  (known)  length  n,  and  so  n = 0(log  A^).  There  exist  other  factoring 
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algorithms  tailored  to  work  for  N oi  a different  form  (e.g.,  when  N — q for 
p,q  prime  and  an  integer  r > 1,  or  when  p and  q have  significantly  different 
lengths)  but  we  do  not  cover  these  here. 

We  will  frequently  use  the  Chinese  remainder  theorem  along  with  the  nota- 
tion developed  in  Section  7.1.5.  The  Chinese  remainder  theorem  states  that 

z)vc.z;xz*, 

with  isomorphism  given  by  f{x)  ([a:  mod  p],  [a:  mod  g])  for  x € The 
fact  that  / is  an  isomorphism  means  in  particular  that  it  gives  a bijection 
between  elements  x € Z|^  and  pairs  {Xp,  Xq)  € Z*  x Z*.  We  write  x ^ 
(xp,  Xg),  with  Xp  = [x  mod  p]  and  Xq  — [x  mod  g],  to  denote  this  bijection. 

Recall  from  Section  7.2  that  trial  division^  a trivial,  brute-force  factor- 
ing method,  finds  a factor  of  a given  number  N with  probability  1 in  time 
0{-s/N  • polylog(A/')).  A more  sophisticated  factoring  algorithm  is  therefore 
only  interesting  if  its  running  time  is  asymptotically  less  than  this.  We  cover 
three  different  factoring  algorithms  with  improved  running  time: 

• Pollard’s  p — 1 method  is  effective  when  p — 1 has  “small”  prime  factors. 

• Pollard’s  rho  method  applies  to  arbitrary  N.  (As  such,  it  is  called  a 

general-purpose  factoring  algorithm.)  Its  running  time  for  N of  the 
form  discussed  at  the  beginning  of  this  section  is  • polylog(A/’)). 

Since  N — this  is  still  exponential  in  n,  the  length  of  N . 

• The  quadratic  sieve  algorithm  is  a general-purpose  factoring  algorithm 
that  runs  in  time  sub- exponential  in  the  length  of  N?-  We  give  a high- 
level  overview  of  how  this  algorithm  works,  but  the  details  are  somewhat 
complex  and  are  beyond  the  scope  of  this  book. 

Currently,  the  best-known  general-purppse  factoring  algorithm  (in  terms  of 
its  asymptotic  running  time)  is  the  general  number  field  sieve.  Heuristically, 
this  algorithm  runs  in  time  2^^^”  ^^  (logn)  average  to  factor  a number  N 

of  length  0{n).'^ 

8.1.1  Pollard’s  p — I Method 

In  the  case  of  integers  N — pq  where  p — 1 has  only  “small”  factors,  an 
algorithm  due  to  Pollard  can  be  used  to  efficiently  factor  (our  description  of 
the  algorithm  relies  on  some  results  proven  in  Appendix  B.3.1).  The  key  to 


^If  /(n)  = then  / is  exponential  in  n.  If  /(n)  = then  / is  sub-exponential 

in  n.  A polynomial  in  n has  the  form  /(n)  = ) =n^(b. 

^It  remains  open  to  rigorously  analyze  the  running  time  of  this  algorithm. 
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this  approach  is  the  following  observation:  Say  we  can  find  an  element  y € 
for  which  y (1,  yq)  and  yq  ^ 1.  That  is, 

y — 1 mod  p but  y ^ 1 mod  q (8.1) 


or,  equivalently, 

y — 1 — 0 mod  p but  y — 1 ^ 0 mod  q. 

The  above  means  that  p\(y  — 1)  but  qj({y  — 1),  which  in  turn  implies  that 
gcd(y  — 1,  N)  = p.  Thus,  a simple  gcd  computation  (which  can  be  performed 
efficiently  as  described  in  Appendix  B.1.2)  yields  a non-trivial  factor  of  N. 

The  problem  of  factoring  N has  thus  been  reduced  to  finding  a value  y with 
the  stated  properties.  We  now  describe  how  to  find  such  a y.  Say  we  have  an 
integer  B for  which 


{p-l)\B  but  {q-l))(B.  (8.2) 

(We  defer  until  later  the  details  of  how  such  a 5 is  determined.)  Write  B — 
7‘(p— 1)  for  some  integer  7.  The  algorithm  (see  the  pseudocode  below)  chooses 
a random  element  x and  sets  y [x^  mod  N]-,  note  that  y can  be 

computed  using  the  efficient  exponentiation  algorithm  from  Appendix  B. 2. 3. 


ALGORITHM  8.1 

Pollard’s  p — \ algorithm  for  factoring. , 

Input;  Integer  N 

Output;  A non-trivial  factor  of  AT 

y [x^  mod  iV] 
p :=  gcd(y  - 1,  N) 
if  p ^ {1,  iV}  return  p 


We  now  show  that  y satisfies  Equation  (8.1)  — and  thus  the  algorithm  finds 
a non-trivial  factor  of  AT  — with  relatively  high  probability.  We  have 

y — [x^  mod  N]  (xp,Xq)^  — {xp  mod  p,  Xq  mod  q) 

— ((x^“^)'^  modp,  Xq  mod  q)  — {1,  xf  mod  q) 

using  Theorem  7.14  and  the  fact  that  the  order  of  Z*  is  p — 1.  That  is, 
y ^ i^,Xq  mod  g).  We  thus  see  that  y satisfies  Equation  (8.1)  whenever 
Xq  ^ 1 mod  q. 

Since  q is  prime,  Z*  is  a cyclic  group  of  order  q — 1 that  contains  exactly 
4>{q  — 1)  generators  each  of  whose  order  is,  by  definition,  q — 1.  (See  The- 
orem B.18.)  We  claim  that  if  Xq  is  a generator  of  Z*  and  {q  — 1)/B,  then 
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^ 1 mod  q.  To  see  this,  use  division- with- remainder  (Proposition  7.1)  to 
write  B = a ■ {q  — \)  + P with  I < P < {q  — 1).  Then 

Xq  = a;«-(9-i)+/3  — (x^'~^)^x^  = x^  mod  g, 

using  Theorem  7.14.  But  x^  1 mod  q since  the  order  of  Xg  is  strictly  larger 
than  p.  It  remains  to  analyze  the  probability  that  Xg  is  a generator. 

Assume,  {q  — 1)  )(B.  If  x is  chosen  uniformly  at  random  from  then 

Xg  = [x  mod  q]  is  uniformly  distributed  in  Z*.  (This  is  a consequence  of  the 
fact  that  the  Chinese  remainder  theorem  gives  a bijection  between  and 
Zp  X Z*.)  Since  Z*  has  (p(q  — 1)  generators,  the  jprobability  of  choosing  x 

such  that  Xq  ^ 1 mod  g is  thus  at  least  Using  Theorem  B.  16,  this 

probability  is  0(1/  log  q). 

The  preceding  discussion  shows  that  Pollard’s  p — 1 algorithm  succeeds 
in  finding  a non-trivial  factor  of  N with  probability  0(l/logg)  = 0(l/n), 
assuming  a B satisfying  Equation  (8.2)  is  known.  (Alternatively,  we  can  run 
the  algorithm  for  0(log^  q)  — poly(n)  iterations  and  find  a non-trivial  factor 
of  N with  all  but  negligible  probability.)  It  remains  to  choose  a value  for  B. 

One  possibility  is  to  choose 

k 

i=l 

where  pi  denotes  the  prime  (that  is,  pi  = 2,p2  = 3,ps  = 5, . . .)  and  /c  is  a 
bound  whose  choice  affects  both  the  running  time  and  the  success  probability 
of  the  algorithm.  Note  that  is  the  largest  power  of  pi  that  can 

divide  p — 1,  an  integer  of  length  at  most  n.  Thus,  as  long  as  p — 1 can  be 
written  as  p®*  with  ei  > 0 (that  is,  as  long  as.p  — 1 has  no  prime  factors 
larger  than  pfc),  it  will  be  the  case  that  (p  — 1)  ( S.  In  contrast,  ii  q — 1 has 
any  prime  factor  larger  than  pk  then  {q  — 1)  J(B. 

. Choosing  a larger  value  for  k increases  B and  so  increases  the  running  time 
of  the  algorithm  (which  performs  a modular  exponentiation  to  the  power  B). 
A larger  value  of  k also  makes  it  more  likely  that  {p  — 1)  \B  but  at  the  same 
time  makes  it  less  likely  that  {q  — 1))(B.  It  is,  of  course,  possible  to  run  the 
algorithm  repeatedly  using  multiple  choices  for  k.  Other  ways  of  selecting  B 
have  also  been  considered. 

Pollard’sp— 1 method  is  thwarted  if  bothp— 1 and  q—1  have  only  large  prime 
factors.  (More  precisely,  the  algorithm  still  works  but  only  when  B is  so  large 
that  the  algorithm  is  no  longer  efficient.)  For  this  reason,  when  generating 
a modulus  N — pq  for  cryptographic  applications,  p and  q are  sometimes 
chosen  to  be  strong  primes  (recall  that  p is  a>strong  prime  if  (p  — l)/2  is  also 
prime).  Selecting  p and  q in  this  way  is  markedly  less  efficient  than  simply 
choosing  p and  q as  arbitrary  (random)  primes.  Because  better  factoring 
algorithms  are  available  anyway,  as  we  will  see  below,  the  current  consensus 
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is  that  the  added  computational  cost  of  generating  p and  q as  strong  primes  is 
not  offset  by  any  appreciable  security  gains.  However,  we  remark  that  certain 
cryptographic  schemes  (that  we  will  not  see  in  this  book)  require  p and  q to 
be  strong  primes  for  technical  reasons  related  to  the  group  structure  of 

8,1.2  Pollard’s  Rho  Method 

Unlike  the  algorithm  of  the  previous  section,  Pollard’s  rho  method  can  be 
used  to  find  a non-trivial  factor  of  an  arbitrary  integer  N without  assumptions 
regarding  p or  q-,  that  is,  it  is  a general-purpose  factoring  algorithm.  Proving 
rigorous  bounds  on  the  running  time/success  probability  of  the  algorithm  is 
still  an  open  question.  However,  heuristically,  the  algorithm  factors  N with 
constant  probability  in  O . polylog(A/’))  steps,  an  improvement 

over  trial  division. 

The  idea  of  the  rho  method  is  to  find  two  distinct  values  that 

are  equivalent  modulo  p (i.e.,  x = x'  mod  p);  let  us  call  such  a pair  of  values 
good.  Similarly  to  the  previous  section,  we  may  observe  that  x — x'  = Q mod  p 
but  X — x'  7^  0 mod  A/”,  and  so  p | (x  — x')  but  N )({x  — x').  But  this  means 
that  gcd(x  — x',  N)  = p,  a non-trivial  factor  of  N . 

How  can  we  find  a good  pair?  Assume  we  choose  values  Xi , . . . , x^  indepen- 
dently and  uniformly  at  random  from  where  k = 2”/^  = 0{y/p).  Using 
the  birthday  bounds  proved  in  Appendix  A. 4,  it  follows  that: 

• The  probability  that  there  exist  distinct  i,j  with  Xj  — Xj  is  at  most 

u2  on 

— Z = 

2-<f>{N)  2-cf){N)  ^ 

which  is  negligible  in  n.  (See.  Lemma  A. 9.) 

• As  a consequence  of  the  bijectivity  between  and  Z*  x Z*  guaranteed 

by  the  Chinese  remainder  theorem,  the  values  {[x^  modp]}^^j^  are 
independently  and  uniformly  distributed  in  Z*.  Using  Lemma  A.  10, 
the  probability  that  there  exist  i^j  with  [xj  modp]  = [xj  modp]  or, 
equivalently,  Xj  = Xj  mod  p,  is  roughly  1/4. 

Combining  the  above,  we  see  that  with  probability  roughly  1/4  there  will 
exist  i,j  with  Xi,Xj  a good  pair;  i.e., 

Xi  = Xj  mod  p but  Xj  ^ Xj  mod  N. 

This  pair  can  then  be  used  to  find  a non-trivial  factor  of  N as  discussed  earlier. 

We  can  generate  k = 0(^/p)  random  elements  of  Z^  in  0(^/p)  = 
time.  Testing  all  pairs  of  elements  in  order  to  find  a good  pair,  however,  would 
require  (2)  = 0{k‘^)  = 0{p)  = time!  (Note  that  since  p is  unknown 

we  cannot  simply  compute  the  sequence  Xi  [xj  mod  p ] and,  then  sort  the  x^ 
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to  find  a good  pair.  Instead,  for  all  i,j  we  must  compute  gcd(xi  —xj,  N)  to  see 
whether  this  gives  a non-trivial  factor  of  N.)  Without  further  optimizations, 
this  will  be  no  better  than  trial  division. 

Pollard’s  idea  was  to  choose  xi, . . . , Xk,  ■ ■ ■ , X2k  in  a recursive  manner,  choos- 
ing xi  € at  random  and  then  computing  Xm  :=  F{xm-i)  niod  N for  some 
appropriate  function  F.  (The  choice  of  F is  discussed  below.)  Instead  of 
testing  each  pair  Xi,Xj  (for  all  z,  j < k)  to  find  a good  pair,  it  now  suffices  to 
test  Xi  and  X2i  for  all  z < /c,  as  justified  by  the  following  claim. 

CLAIM  8.2  Let  xi, . . . be  a sequence  of  values  with  Xm  = F{xm-i)  mod  N . 
If  Xi  = Xj  modp  with  i < j,  then  there  exists  an  i'  < j such  that  Xi'  — 
X2i'  mod  p. 


PROOF  If  Xi  = Xj  mod  p,  then  the  sequence  [x*  mod p],  [xi+i  mod  p], . . . 
repeats  with  period  j — i.  (That  is,  for  all  i'  > i and  integers  5 > 0 it  holds 
that  Xi'  = mod  p.)  Take  i'  to  be  the  smallest  multiple  of  j — z that 

is  greater  than  or  equal  to  z;  that  is,  i'  {j  — z)  • \i/{j  — 01-  We  must 
have  z'  < j since  the  sequence  z,  z -|-  1, . . . z -|-  (j  — z — 1)  contains  a multiple  of 
j — i.  Since  2z'  — z'  = z'  is  a multiple  of  the  period  and  z'  > z,  it  follows  that 
Xi'  — X2i'  mod  p-  . I 


By  the  claim  above,  if  there  is  a good  pair  xj  in  the  sequence  xi, . . . , Xfc 
then  there  is  a good  pair  x^/ , X2i'  in  the  sequence  xi , . . . , X2k-  The  number  of 
pairs  that  need  to  be  tested,  however,  is  reduced  from  (2)  to  k = 0{y/p)  = 
^(jVi/4)  A description  of  the  entire  algorithm  follows. 


ALGORITHM  8.3 

Pollard’s  rho  algorithm  for  factoring 

Input;  Integer  N,  a product  of  two  zz-bit  primes 

Output;  A non-trivial  factor  of  N 

xo  -s— 

for  z = 1 to 

Xi  ;=  [F(xi_i)  mod  N] 

X2i  :=  [F{F{x2i-2))  mod  N] 
p :=  gcd(x2i  - Xi,  N) 
if  p ^ {1,  N}  return  p 


Pollard’s  choice  of  xi , . . . leads  to  an  improvement  in  the  running  time  of 
the  algorithm.  Unfortunately,  since  the  values  in  the  sequence  are  no  longer 
chosen  independently  at  random,  the  analysis  given  earlier  (showing  that  a 
good  pair  exists  with  probability  roughly  1/4)  no  longer  applies.  Heuristically, 
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however,  if  the  sequence  “behaves  randomly”  then  we  expect  that  a good 
pair  will  still  be  found  with  probability  roughly  1/4.  (We  stress  that  the 
sequence  is  certainly  not  pseudorandom  in  the  sense  of  Chapter  3.  However, 
cryptographic  pseudorandomness  is  not  a necessary  condition  for  Pollard’s 
rho  algorithm  to  succeed.)  Taking  F of  the  form  F{x)  = + 6,  where 

h 7^  0,-2  mod  N,  gives  an  F that  is  efficient  to  compute  and  seems  to  work 
well  in  practice.  (See  [142,  Section  10.2]  for  some  rationale  for  this  choice 
of  jP.)  It  remains  an  interesting  open  question  to  give  a tight  and  rigorous 
analysis  of  Pollard’s  rho  algorithm  for  any  concrete  F. 

8.1.3  The  Quadratic  Sieve  Algorithm 

Pollard’s  rho  algorithm  runs  in  time  exponential  in  the  length  of  the  num- 
ber N to  be  factored.  The  quadratic  sieve  algorithm  runs  in  sub-exponential 
time.  It  was  the  fastest-known  factoring  algorithm  until  the  early  ’90s,  and  re- 
mains the  factoring  algorithm  of  choice  for  numbers  up  to  about  300  bits  long. 
We  describe  the  general  principles  underlying  the  quadratic  sieve  algorithm 
but  caution  the  reader  that  many  important  details  are  omitted. 

Recall  that  an  element  2:  € is  a quadratic  residue  modulo  N if  there 
exists  an  a:  G Z*  such  that  = z mod  N ; we  say  that  rr  is  a square  root  of  z 
in  this  case.  The  following  observations,  used  also  in  Chapter  11,  serve  as  our 
starting  point: 

• If  A = pq  \s  a.  product  of  two  distinct  primes,  then  every  quadratic 
residue  modulo  N has  exactly  four  square  roots.  See  Section  11.1.2  for 
proof. 

• Given  re,  y with  x^  = mod  N and  x 7^  ±y  mod  A,  it  is  possible  to 
compute  a non-trivial  factor  of  A in  polynomial  time.  This  is  by  virtue 
of  the  fact  that  x^  = y"^  mod  A implies 

0 = rr^  — = {x  — y){x  + y)  mod  A, 

and  so  N \{x  — y){x  + y).  However,  N )({x  — y)  and  N )({x  + y)  because 
X 7^  mod  A.  So  it  must  be  the  case  that  gcd(rc  — y.  A)  is  equal  to 
one  of  the  prime  factors  of  A.  See  also  Lemma  11.21. 

The  quadratic  sieve  algorithm  tries  to  generate  a pair  of  values  x,  y whose 
squares  are  equal  modulo  A;  the  hope  is  that  with  constant  probability  it 
will  also  hold  that  x 7^  mod  A.  It  searches  for  x and  y via  the  following 
two-step  process:^ 

Step  1.  Fix  a set  B = {pi,. . .,Pk}  of  small  prime  numbers.  Find  i > k 
distinct  values  rci , . . . , rc^  € Z^  for  which  qi  [ref  mod  A]  is  “small” , so  that 


^Some  details  have  been  changed  in  order  to  simplify  the  presentation.  The  description  is 
merely  meant  to  convey  the  main  ideas  of  the  algorithm. 
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Qi  can  be  factored  over  the  integers  (using,  e.g.,  trial  division)  and  such  that 
all  the  prime  factors  of  Qi  lie  in  B.  (It  is  also  required  that  Xi  > thus 
ensuring  that  > n and  the  modular  reduction  of  x?  is  not  trivial.)  We  omit 
the  details  of  how  these  {xj}  are  found. 

Following  this  step,  we  have  a set  of  equations  of  the  form: 

k 

x\  = JJpr  ' mod  N 

; (8.3) 

k 

x“l  = mod  N. 


Reducing  the  exponents  of  each  p*  modulo  2,  we  obtain  the  matrix  F defined 
as 


/ 7i,i  7i,2 

•••  71, 

/ [ei,i  mod  2] 

def  I 

[ei^2  mod  2]  • • 

• [ei,fcmod2]\ 

\7r,i  7r,2 

•••  le,k  / 

\ [ei^i  mod  2] 

[e^,2  mod  2]  • • 

• mod  2]  / 

The  goal  is  to  have  £ > k with  none  of  the  rows  of  F all  0.  Onpe  this  is 
accomplished,  proceed  to  the  next  step. 

Step  2.  The  matrix  F constructed  in  the  previous  step  has  more  rows  than 
columns.  Therefore,  some  subset  of  the  rows  must  sum  to  the  all-0  row  mod- 
ulo 2.  (Furthermore,  by  construction,  F has  no  all-0  rows.)  An  appropriate 
set  of  rows  can  be  found  efficiently  using  linear  algebra.  For  the  sake  of  illus- 
tration, say  rows  ^1,^2,  ^3  sum  to  the  all-0  row;  that  is. 


7ri,i  •••  7^1, fc 
7^2,1  7^2.  A: 

+ 7^3,1  • • • 7^3, fc 

0 •••  0 


where  addition  is  modulo  2.  Taking  the  appropriate  equations  from  Equa- 
tion (8.3),  we  have  - 


X is' 


xl 


Rp 


i 


i+ee 


mod  N. 


Moreover,  by  choice  of  we  know  that  j -|-  e^2,i  T is  even  for 

all  i.  This  means  that  we  can  write 


X = {x£^  ■ X£. 


/ k \ ^ 

\2  / TT  (e^i,i+ef2.i+®^3.0/2  I 1 

■xes)  = 


2 
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and  we  have  found  two  elements  whose  squares  are  equal  modulo  N . Although 

there  is  no  guarantee  that  ■ xe^  ^ mod  N, 

we  can  at  least  heuristically  expect  that  this  will  be  the  case  with  probability 
roughly  1/2  (since  X has  four  square  roots). 


Example  8.4 

Take  N = 377753.  We  have  6647  = [620^  mod  N],  and  we  can  factor  6647 
(over  the  integers,  without  any  modular  reduction)  as 

6647  = 17^  • 23. 

Thus,  620^  = 17^-23  mod  N.  Similarly, 

621^  = 2^  • 17- 29  mod 
645^  = 2^  • 13  • 23  mod  N 
655^  = 2^  • 13  • 17  • 29  mod  N. 


So 

620^  • 621^  • 645^  • 655^  = 2^^  • 13^  • 17^  • 23^  • 29^  mod  N 
[620  • 621  • 645  • 655  mod  N]^  = [2^  • 13  • 17^  • 23  • 29  mod  N]  ^ mod  N 
^ 1271942  = 453352  mod  N, 

with  127194  ^ ±45335  mod  N.  Computing  gcd(127194  - 45335,  377753)  = 
751  yields  a npn-trivial  factor  of  A”.  0 

Running  time.  We  have  omitted  many  details  in  our  discussion  of  the  algo- 
rithm above.  It  can  be  shown,  however,  that  with  appropriate  optimizations 
the  quadratic  sieve  algorithm  runs  in  time  ) to  factor  a number  N of 

length  0{n).  The  important  point  is  that  this  running  time  is  sub-exponential 
in  the  length  of  A. 


8.2  Algorithms  for  Computing  Discrete  Logarithms 

Let  G be  a group  for  which  the  group  operation  can  be  carried  out  efficiently. 
By  the  results  of  Appendix  B.2.3,  this  means  that  exponentiation  in  G can 
also  be  done  efficiently.  An  instance  of  the  discrete  logarithm  problem  takes 
the  following  form  (see  Section  7.3.2):  given  ^ € G and  y € (y),  find  x such 
that  g^  = y.  (Recall  that  (y),  the  cyclic  subgroup  generated  by  y,  is  the 
subgroup  {y°,y^, . . .}  C G.  If  (y)  = G then  y is  a generator  of  G and  G is 
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cyclic.)  This  answer  is  denoted  by  log^  y,  and  is  uniquely  defined  modulo  the 
order  of  g.  We  sometimes  refer  to  g in  an  instance  of  the  discrete  logarithm 
problem  as  the  base. 

Algorithms  for  attacking  the  discrete  logarithm  problem  fall  into  two  cate- 
gories: those  that  work  for  arbitrary  groups  (such  algorithms  are  sometimes 
termed  generic)  and  those  that  work  for  some  specific  group.  For  algorithms 
of  the  former  type,  we  can  often  just  as  well  take  the  group  to  be  (g)  itself 
(thus  ignoring  elements  in  G \ (g)  when  g is  not  a generator  of  G).  When 
doing  so,  we  will  let  q denote  the  order  of  (g)  and  assume  that  q is  known. 
Note  that  brute- force  search  for  the  discrete  logarithm  log^y  can  be  done  in 
time  0{q),  and  so  we  will  only  be  interested  in  algorithms  whose  running  time 
is  better  than  this. 

We  will  discuss  the  following  algorithms  that  work  in  arbitrary  groups: 

• The  baby -step /giant- step  method,  due  to  Shanks,  computes  the  discrete 
logarithm  in  a group  of  order  q in  time  0{y/q  ■ polylog(y)). 

• The  Pohlig- Heilman  algorithm  can  be  used  when  the  factorization  of 
the  group  order  q is  known.  When  q has  small  factors,  this  technique 
reduces  the  given  discrete  logarithm  instance  to  multiple  instances  of 
the  discrete  logarithm  problem  in  groups  of  smaller  order.  Solutions  to 
each  of  the  latter  can  be  combined  to  give  the  desired  solution  to  the 
original  problem. 

Following  this,  we  will  look  at  computing  discrete  logarithms  in  some  spe- 
cific groups.  As  an  illustrative  but  simple  example,  in  Section  8.2.3  we  look 
at  the  problem  in  the  (additive)  group  Zjv  and  show  that  discrete  logarithms 
can  be  computed  in  polynomial  time  in  this  case.  . 

The  point  of  this  example  is  to  demonstrate  that  even  though  any 
cyclic  group  of  order  q is  isomorphic  to  Zrg-fef.  Example  7.58),  and 
hence  all  cyclic  groups  of  the  same  order  are  algebraically  identical, 
the  hardness  of  the  discrete  logarithm  problem  depends  in  a crucial 
way  on  the  particular  representation  of  the  group  being  used. 

Indeed,  the  algorithm  for  computing  discrete  logarithms  in  the  additive  group 
Zjv  will  rely  on  the  fact  that  multiplication  modulo  N is  also  defined.  Such 
a statement  makes  no  sense  in  some  arbitrary  group  that  is  defined  without 
reference  to  modular  arithmetic. 

Turning  to  groups  with  more  cryptographic  significance,  in  Section  8.2.4  we 
briefly  discuss  the  computation  of  discrete  logarithms  in  the  cyclic  group  Z* 
for  p prime.  We  give  a high-level  overview  of  the  index  calculus  method  that 
solves  the  discrete  logarithm  problem  in  such  groups  in  sub-exponential  time. 
The  full  details  of  this  approach  are,  unfortunately,  beyond  the  scope  of  this 
book. 

The  baby-step/giant-step  algorithm  is  known  to  be  optimal  in  terms  of 
its  asymptotic  running  time  as  far  as  generic  algorithms  go.  (We  remark. 
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however,  that  more  space-efficient  generic  algorithms  with  the  same  running 
time  are  known.)  The  proven  lower  bound  on  the  complexity  of  finding  dis- 
crete logarithms  when  the  group  is  treated  generically,  however,  says  nothing 
about  the  hardness  of  finding  discrete  logarithms  in  any  particular  group,  as 
illustrated  by  the  ease  of  computing  discrete  logarithms  in  Zjv- 
. Currently,  the  best-known  algorithm  for  computing  discrete  logarithms  in 
Zp  (for  p prime)  is  the  general  number  field  sieve.^  Heuristically,  this  algorithm 


runs  in  time  2*^^”  ' (logn)  average  to  compute  discrete  logarithms  in 

Zp  when  p has  length  ||p||  = 0{n).  Importantly,  essentially  no  non-generic 
algorithms  are  currently  known  for  computing  discrete  logarithms  in  certain 
specially-constructed  elliptic  curve  groups  (cf.  Section  7.3.4).  This  means  that 
for  such  groups,  as  long  as  the  group  order  is  prime  (so  as  to  preclude  using  the 
Pohlig-Hellman  algorithm),  only  exponential-time  algorithms  for  computing 
discrete  logarithms  are  known. 

To  get  a sense  for  the  practical  importance  of  this  latter  remark,  we  can 
compare  the  group  sizes  needed  for  each  type  of  group  in  order  to  make  the 
discrete  logarithm  problem  equally  hard.  (This  will  be  a rough  comparison 
only,  as  a more  careful  comparison  would,  for  starters,  need  to  take  into 
account  the  constants  implicit  in  the  big- (9  notation  of  the  running  times 
given  above.)  For  a 1024-bit  prime  p,  the  general  number  field  sieve  computes 
discrete  logarithms  in  Z*  in  roughly  ^ gio-4.6  _ g46  ^ 2^6  steps. 

This  matches  the  time  needed  to  compute  discrete  logarithms  using  the  best 
generic  algorithm  in  an  elliptic  curve  group  of  order  q,  where  g is  a 132-bit 
prime,,  since  then  y/q  ~ = 2®®.  We  see  that  a significantly  smaller 

elliptic  curve  group,  with  concomitantly  faster  group  operations,  can  be  used 
without  reducing  the  difficulty  of  the  discrete  logarithm  problem  (at  least  with 
respect  to  the  best  currently-known  techniques).  Roughly  speaking,  then,  by 
using  elliptic  curve  groups  in  place  of  Z*  we  obtain  cryptographic  schemes 
that  are  more  efficient  for  the  honest  parties,  but  that  are  equally  hard  for  an 
adversary  to  break.  This  explains  why  they  have  become  popular,  especially 
when  implemented  on  weak  hardware. 


8.2.1  The  Baby-Step/Giant-Step  Algorithm 

The  baby-step/giant-step  algorithm,  due  to  Shanks,  computes  discrete  log- 
arithms in  a group  of  order  q in  time  0{y/q  • polylog(g)).  The  idea  is  simple. 
Given  input  g and  y G (y),  we  can  imagine  the  elements  of  (g)  laid  out  in  a 
circle  as 

1 = ■ • • , 


and  we  know  that  y must  lie  somewhere  on  this  circle.  Computing  and  writing 
down  all  the  points  on  this  circle  would  take  f2(y)  time.  Instead,  we  “mark 


4 It  is  no  accident  that  this  name  is  shared  by  algorithms  for  factoring  and  for  computing 
discrete  logarithms,  since  these  algorithms  share  many  of  the  same  underlying  steps. 
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off”  the  circle  at  intervals  of  size  t Lv^J;  that  is,  we  compute  and  record 
the  \_q/t\  + 1 = 0{y/q)  elements 


9°,  9*,  9^*, 


(These  are  the  “giant  steps” .)  Note  that  the  “gap”  between  any  consecutive 
“marks”  on  the  circle  is  at  most  t.  Furthermore,  we  know  that  y — lies  in 
one  of  these  gaps.  We  are  thus  guaranteed  that  one  of  the  t elements 


will  be  equal  to  one  of  the  points  we  have  marked  off.  (These  are  the  “baby 
steps”.)  Say  y • g^  = g^'^ ■ We  can  easily  solve  this  to  obtain  y — g^^~'’  or 
logg  y — [kt  — i mod  q].  Pseudocode  for  this  algorithm  follows. 


ALGORITHM  8.5 

The  baby-step/giant-step  algorithm 

Input:  Elements  g £ G and  y G {g)]  the  order  q oi  g 
Output:  loggy 

t :=  LV^J 

for  i = 0 to  \_q/t\ : 
compute  gi  ;=  y*'* 

sort  the  pairs  (i,gi)  by  their  second  component 
for  z = 0 to  t: 

compute  yi  ;=  y • y* 

if  yi  = gk  for  some  k,  return  [kt  — i mod  y] 


The  algorithm  requires  0{^)  exponentiations  and  multiplications  in  G, 
and  each  exponentiation  can  be  done  in  time  0(polylog(y))  using  an  efficient 
exponentiation  algorithm.  (Actually,  other  than  the  first  value  g\  = y*,  each 
value  gi  can  be  computed  using  a single  multiplication  as  gi  :=  gi-i  • gi- 
Similarly,  each  yi  can  be  computed  as  yi  :=  y^_i  • g.)  Sorting  the  0{^)  pairs 
(f, gi)  can  be  done  in  time  0{y/q-\ogq)^  and  we  can  then  use  binary  search  to 
check  whether  yi  is  equal  to  some  gu  in  time  (9(logy).  The  overall  algorithm 
thus  runs  in  time  0{y/q-  polylog(y)). 

Example  8.6 

We  show  an  application  of  the  algorithm  in  the  cyclic  group  of  order 
q = 29  — \ — 28.  Take  g = 2 and  y = 17.  We  set  f = 5 and  compute; 

2°  = 1,  2^  = 3,  2^°  = 9,  2^5=27,  2^0  = 23,  2'^^  ^11. 

(It  should  be  understood  that  all  operations  are  in  Z^g.)  Then  compute: 

17-2°  = 17,  17-2^  =5,  17-2'^  = 10,  17-22  = 20,  17-2^  = 11,  17-22  = 22, 

and  notice  that  2^^  = n = 17 . 2"^.  We  thus  have  log2  17  = 25  — 4 = 21.  <C> 
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8.2.2  The  Pohlig-Hellman  Algorithm 

The  Pohlig-Hellman  algorithm  can  be  used  to  speed  up  the  computation 
of  discrete  logarithms  when  any  non-trivial  factors  of  the  group  order  q are 
known.  Recall  that  the  order  of  an  element  g^  which  we  denote  here  by  ord(p), 
is  the  smallest  positive  i for  which  g'^  = 1.  We  will  need  the  following  lemma: 

LEMMA  8.7  Let  ord(p)  = q,  and  say  p\q.  Then  ord(pP)  = q/p. 

PROOF  Since  = 1,  the  order  of  g'^  is  certainly  at  most  q/p. 

Let  i > 0 be  such  that  {g'^Y  = 1.  Then  gP'^  = 1 and,  since  q is  the  order  of  g, 
it  must  be  the  case  that  pi  > q or  equivalently  i > q/p.  The  order  of  gP  is 
therefore  exactly  q/p.  | 


We  will  also  use  a generalization  of  the  Chinese  remainder  theorem:  if 
q = nt=i  pairwise  relatively  prime  (i.e.,  gcd(gi,  qj)  = 1 for 

all  i j),  then 

Zqr  ~ Zqrj  X • • • X Zgj.  and  Zg  ~ Z^^  x • • • x Z^^ . 

(This  can  be  proved  by  induction  on  k,  using  the  basic  Chinese  remainder 
theorem  as  the  base  case.)  Moreover,  by  an  extension  of  the  algorithm  in 
Section  7.1.5  it  is  possible  to  convert  efficiently  between  the  representation 
of  an  element  as  an  element  of  Zg  and  its  representation  as  an  element  of 
Zgi  X • • • X Zg^  • 

We  now  describe  the  Pohlig-Hellman  approach.  We  are  given  g and  y and 
wish  to  find  an  x such  that  g^  = y.  Let  ord(p)  = g,  and  say.  a £actoj:iz.atiQn 

k 

q = W^Qi 

is  known  with  the  pairwise  relatively  prime.  (Note  that  this  need  not  be 

the  complete  prime  factorization  of  q.)  We  know  that 

= (pa=)9/9i  — for  i = 1, . . . , fc.  (8.4) 

Letting  gi  , we  thus  have  k instances  of  a discrete  logarithm  problem 

in  k smaller  groups,  each  of  size  ord(gi)  = qi  (by  Lemma  8.7). 

We  can  solve  each  of  the  k resulting  instances  using  any  other  algorithm  for 
solving  the  discrete  logarithm  problem;  for  concreteness,  let  us  assume  that 
the  baby-step/giant-step  algorithm  of  the  previous  section  is  used.  Solving 
these  instances  gives  a set  of  answers  for  which  gF  = ^g/g^  = _ 

(The  second  equality  follows  from  Equation  (8.4).)  Proposition  7.50  implies 
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that  X = Xi  mod  Qi  for  all  i.  By  the  generalized  Chinese  remainder  theorem 
discussed  earlier,  the  constraints 

X = xi  mod  qi 


X = Xk  mod  Qk 

uniquely  determine  x modulo  q.  Thus,  x can  be  efficiently  reconstructed  from 
, Xk,  as  required. 


Example  8.8 

We  apply  the  ideas  introduced  here  to  again  compute  a discrete  logarithm  in 
Z* . Here,  take  p — 31  with  the  order  of  Z31  being  g = 31  — 1 = 30  = 5 • 3 • 2. 
Say  g = 3 and  y = 2Q  = g^.  We  have; 

(^30/5)x  ^ y30/5  ^ ^ 26®  ^ 16^  = 1 

(^30/3)x  _ y30/3  ^ (3l0)x  _ 26^0  25^  = 5 

(p30/2^x  ^ y30/2  ^ ^3l5)x  ^ 26^®  =>  30^  = 30. 

(Once  again,  we  omit  the  “mod  31”  since  this  is  understood.)  Solving  each 
equation,  we  obtain 

X = 0 mod  5,  X = 2 mod  3,  x = 1 mod  2, 
and  so  X = 5 mod  30.  Indeed,  3®  = 26  mod  31.  <0> 

Assuming  q with  factorization  as  above,  and  assuming  the  baby-step/giant- 
step  algorithm  is  used  to  solve  each  of  the  smaller  instances  of  the  dis- 
crete logarithm  jproblem,  the  running  time  of  the  entire  algorithm  will  be 
0(polylog(g)  • Xli=i  \/^)-  Since  q can  have  at  most  logg  factors,  this  simpli- 
fies to  0(polylog(g)  -maxi{y/^}).  Depending  on  the  size  of  the  largest  known 
factor  of  q,  this  can  be  a marked  improvement  over  the  0{y/q)  algorithm 
given  in  the  previous  section.  In  particular,  if  q has  many  small  factors  then 
the  discrete  logarithm  problem  in  a group  of  order  q will  be  relatively  easy  to 
solve  via  this  approach.  As  discussed  in  Section  7.3.2,  this  motivates  choosing 
q to  be  prime  for  cryptographic  applications. 

If  q has  prime  factorization  q = nf=i  pT  ■>  Pohlig-Hellman  algorithm  as 
described  above  solves  the  discrete  logarithm  problem  in  a group  of  order  q 

in  time  O ^polylog(g)  • maxi{  . Using  additional  ideas,  this  can  be 

improved  to  O (polylog(g)  • maxi{.y^});  see  Exercise  8.3. 

8.2.3  The  Discrete  Logarithm  Problem  in  Za^ 

The  algorithms  shown  in  the  preceding  two  sections  are  generic^  in  the  sense 

that  they  are  oblivious  to  the  underlying  group  in  which  the  discrete  logarithm 

1 
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problem  is  defined  (except  for  knowledge  of  the  group  order) . The  purpose  of 
this  brief  section  is  merely  to  emphasize  that  non-generic  algorithms,  which 
make  use  of  the  particular  (representation  of  the)  group  under  consideration, 
can  potentially  perform  much  better. 

Consider  the  task  of  computing  discrete  logarithms  in  the  (additive)  group 
Zjv  for  arbitrary  N .■  The  problem  is  trivial  with  respect  to  the  base  g = 1: 
the  discrete  logarithm  of  element  y E is  simply  the  integer  y itself  since 
y • 1 = y mod  N . Note  that,  formally  speaking,  the  ‘y’  on  the  left-hand  side 
of  this  equation  denotes  the  integer  y while  the  ‘y’  on  the  right-hand  side 
denotes  the  element  y E Zjv.  Nevertheless,  the  particular  nature  of  the  group 
Zjv  allows  us  to  essentially  view  these  two  instances  of  ‘y’  interchangeably. 

Things  are  only  mildly  more  complicated  if  a generator  y 7^  1 is  used. 
(Exercise  8.4  deals  with  the  case  when  g is  not  a generator  of  Zjv.)  Let  g 
be  a generator  and  say  we  want  to  compute  x such  that  x ■ g = y mod  N for 
some  given  value  y.  Using  Theorem  B.18  (along  with  the  fact  that  1 is  a 
generator),  we  have  gcd(y,  N”)  = 1.  But  then  g has  a multiplicative  inverse 
y“^  modulo  N (and  this  inverse  can  be  computed  efficiently  as  discussed  in 
Appendix  B.2.2).  The  desired  solution  is  simply  x = y ■ g~^  mod  N . 

It  is  interesting  to  pinpoint  once  again  exactly  what  non-generic  properties 
of  Zat  are  being  used  here.  In  this  case,  the  algorithm  implicitly  uses  the  fact 
that  an  operation  (namely,  multiplication  modulo  N)  other  than  the  group 
operation  (i.e.,  addition  modulo  N)  is  defined  on  the  elements  of  the  group. 

8.2.4  The  Index  Calculus  Method 

The  index  calculus  method  solves  the  discrete  logarithm  problem  in  the 
cyclic  group  Z*  (for  p prime)  in  time  that  is  sub-exponential  in  the  length 
of  p.  The  astute  reader  may  notice  that  the  algorithm  as  we  will  describe  it 
bears  some  resemblance  to  the  quadratic  sieve  factoring  algorithm  introduced 
in  Section  8.1.3.  As  in  the  case  of  that  algorithm,  we  discuss  the  main  ideas 
used  by  the  index  calculus  method  but  the  details  are  beyond  the  scope  of 
our  treatment.  Also,  some  simplifications  are  introduced  to  clarify  the  pre- 
sentation. 

The  index  calculus  method  uses  a two-step  process.  Importantly,  the  first 
step  requires  knowledge  only  of  the  modulus  p and  the  base  g and  so  it  can  be 
run  as  a ‘pre-processing  step’  before  y — the  value  whose  discrete  logarithm 
we  are  interested  in  — is  known.  For  the  same  reason,  it  suffices  to  run 
the  first  step  only  once  in  order  to  solve  multiple  instances  of  the  discrete 
logarithm  problem  (as  long  as  all  these  instances  share  the  same  p and  y ) . 

Step  1.  Let  q = p — 1,  the  order  of  Z*.  Fix  a set  B = {pi,  ■ ■ ■ ,Pk}  of 
small  prime  numbers.  In  this  step,  we  find  i > k distinct,  non-zero  values 

Xi, . . . , Xi  E '^q  for  which  gi  = \g^^  mod  p\  is  “small”,  so  that  gi  can  be  fac- 
tored over  the  integers  (using,  e.g.,  trial  division)  and  such  that  all  the  prime 
factors  of  y^  lie  in  B.  We  do  not  discuss  how  these  {2:^}  are  found. 
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Following  this  step,  we  have  equations  of  the  form: 

k 

= n^r’"  modp 

k 

modp. 

1=1 

Taking  discrete  logarithms  of  each  side,  we  can  transform  these  into  linear 
equations: 

k 

Xi  = ^ ei,i  • logg  Pi  mod  (p  - 1) 

1=1 

: (8.5) 

k 

X£  = ^ ei^i  ■ logg  Pi  mod  (p  - 1). 

i=l 

Note  that  the  {xi}  and  the  {e.j,i}  are  known,  while  the  {log^ Pi}  are  unknown. 

Step  2.  Now  we  are  given  an  element  y and  want  to  compute  log^  y.  Here, 

we  find  a value  x*  G Zg  for  which  g*  [p^*-  y mod  p]  is  “small”,  so  that  g* 
can  he  factored  over  the  integers  and  such  that  all  the  prime  factors  of  p*  lie 
in  B.  We  do  not  discuss  how  x*  is  found. 

Say 

fc 

g"^* ■ y ^ \[pI^  raod  p 
i=i 
k 

^ X*  + \ogg  y = ^e*  ■ loggPi  mod  (p  - 1), 

where  x*  and  the  {e^}  are  known.  Combined  with  Equation  (8.5),  we  have 
^ + 1 > A:  + 1 linear  equations  in  the  A:  + 1 unknowns  {log^Pilf^i  V- 

Using  linear- algebraic®  methods  (and  assuming  the  system  of  equations  is  not 
under-defined),  we  can  solve  for  each  of  the  unknowns  and  in  particular  solve 
for  the  desired  solution  log^  y. 


^Technically,  things  are  slightly  more  complicated  since  the  linear  equations  are  all  modulo 
p — 1,  which  is  not  prime.  Nevertheless,  there  exist  techniques  for  dealing  with  this. 
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Example  8.9 

Let  p = 101,  g = 3,  and  y - 87.  We  have  3^^°  = 65  mod  101,  and  65  = 5 • 13 
(over  the  integers).  Similarly,  3^^  = 80  = 2'^-5  mod  101  and  3’^'^  = 13  mod  101. 
We  thus  have  the  linear  equations 

10  = log3  5 + log3  13  mod  100 
12=4-  log3  2 + log3  5 mod  100 
14  = log3  13  mod  100. 

We  also  have  3®  • 87  = 32  = 2®  mod  101,  or 

5 + log3  87  = 5 • log3  2 mod  100.  (8-6) 

Adding  the  second  and  third  equations  and  subtracting  the  first,  we  derive 
4 • log3  2 = .16  mod  100.  This  doesn’t  determine  log3  2 uniquely,  but  it  does 
tell  us  that  log3  2 = 4,29,54,  or  79  (cf.  Exercise  8.4).  Trying  all  possibilities 
shows  that  log3  2 = 29.  Plugging  this  into  Equation  (8.6)  gives  log3  87  = 40. 

0 

Running  time.  It  can  be  shown  that  with  appropriate  optimizations  the 

index  calculus  algorithm  runs  in  time  to  compute  discrete  log- 

arithms in  Zp  for  p a prime  of  length  n.  The  important  point  is  that  this 
is  sub-exponential  in  ||p||.  Note  that  the  expression  for  the  running  time  is 
identical  to  that  of  the  quadratic  sieve  method. 


References  and  Additional  Reading 
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lished a related  rho  method  for  computing  discrete  logarithms.)  The  quadratic 
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Dixon  [49]. 

The  baby-step/giant-step  approach  to  computing  discrete  logarithms  is 
due  to  Shanks  [126],  and  the  Pohlig-Hellman  algorithm  was  published  in 
1978  [114].  For  a discussion  of  the  index  calculus  method,  as  well  as  an 
overview  of  methods  for  computing  discrete  logarithms,  the  reader  is  referred 
to  the  survey. by  Odlyzko  [112]. 

The  texts  by  Wagstaff  [142],  Shoup  [131],  Crandall  and  Pomerance  [40], 
and  Bressoud  [29]  all  provide  further  information  regarding  algorithms  for 
factoring  and  computing  discrete  logarithms. 

Lower  bounds  on  so-called  generic  algorithms  for  computing  discrete  loga- 
rithms (i.e.,  algorithms  that  apply  to  arbitrary  groups  without  regard  for  the 
way  the  group  is  represented)  are  given  by  Nechaev  [111]  and  Shoup  [128]. 
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Lenstra  and  Verheul  [94]  provide  a comprehensive  discussion  of  how  the 
known  algorithms  for  factoring  and  computing  discrete  logarithms  affect  the 
choice  of  cryptographic  parameters  in  practice. 


Exercises 

8.1  In  order  to  speed  up  the  key  generation  algorithm  for  RSA,  it  has  been 
suggested  to  generate  a prime  by  generating  many  small  random  primes, 
multiplying  them  together  and  adding  one  (of  course,  then  checking  that 
the  result  is  prime).  Ignoring  the  question  of, the  probability  that  such 
a value  really  is  prime,  what  do  you  think  of  this  method? 

8.2  Here  we  show  how  to  solve  the  discrete  logarithm  problem  in  a cyclic 
group  of  order  q = in  time  (9(polylog(g)  • ^ ) . Given  as  input  a gener- 
ator g of  known  order  p®  and  a value  y,  we  want  to  compute  x = log^  y. 
Note  that  p can  be  computed  easily  from  q (see  Exercise  7.11). 

(a)  Show  how  to  find  [a:  modp]  in  time  (9(polylog(g)  • >Jp)- 
Hint:  Solve  the  equation 

and  use  the  same  ideas  as  in  the  Pohlig-Hellman  algorithm. 

(b)  Say  a:  = a:o+a:i -P+- • with  0 < Xj  < p.  In  the  previous 

step  we  determined  xq.  Show  how  to  compute  in  polylog(g)  time  a 
value  Pi  such  that  (pP)®i+a=2-pH  i-xe-i-p®  ^ 

(c)  Use  recursion  to  obtain  the  claimed  running  time  for  the  original 
problem  (Note  that  e = polylog(p).) 

Let  q have  prime  factorization  q = nf=iPr-  Using  the  result  from  the 
previous  problem,  show  a modification  of  the  Pohlig-Hellman  algorithm 
that  solves  the  discrete  logarithm  problem  in  a group  of  order  q in  time 

O (^polylog(p)  • 5^JLi  ei^i^  = O (polylog(p)  • max{.^}). 

(a)  Show  that  if  a6  = c mod  N and  gcd(&,  N)  = d,  then: 

i.  d\c\ 

ii.  a • {h/d)  = {c/d)  mod  (iV/d);  and 

iii.  gcd(6/d,  iV/d)  = 1. 

(b)  Describe  how  to  use  the  above  to  compute  discrete  logarithms  in 
Z jv  efficiently  even  when  the  base  g is  not  a generator  of  Z jv  • 

8.5  Using  a variant  of  Claim  8.2,  fully  describe  and  analyze  the  constant- 
space  birthday  attack  on  cryptographic  hash  functions  that  was  briefly 
described  in  Section  4.6.3. 
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8.4 


Chapter  9 


Private-Key  Management  and  the 
Public-Key  Revolution 


9.1  Limitations  of  Private-Key  Cryptography 

We  have  seen  that  private-key  cryptography  can  be  used  to  enable  secure 
communication  over  an  insecure  channel.  While  it  therefore  appears  to  solve 
completely  the  primary  problem  of  cryptography,  we  discuss  here  a number 
of  reasons  why  that  is  not  the  case. 


The  Key-Distribution  Problem 

Private- key  cryptography  requires  shared,  secret  keys  between  the  commu- 
nicating parties.  We  have  not  yet  dealt  at  all  with  the  question  of  how  these 
shared  keys  are  obtained  in  the  first  place.  Clearly,  these  keys  cannot  simply 
be  sent  over  an  insecure  communication  channel,  because  an  eavesdropping 
adversary  could  then  observe  them  en  route. 

The  initial  sharing  of  a secret  key  can.be  done  using  a secure  channel  that 
can  be  implemented,  e.g.,  using  a trusted  messenger  service.  This  option 
is  likely  to  be  unavailable  to  the  average  person,  though  governments,  the 
military,  intelligence  organizations,  and  other  such  entities  do  have  the  means 
to  share  keys  in  this  way.  (Indeed,  it  is  rumored  that  the  red  phone  connecting 
Moscow  and  Washington  was  encrypted  using  a one-time  pad,  where  the  keys 
were  shared  by  diplomats  who  flew  from  one  country  to  the  other  carrying 
briefcases  full  of  print-outs  of  the  pad.)  A more  pragmatic  method  for  two 
parties  to  share  a key  is  for  these  parties  to  arrange  a physical  meeting  at 
which  time  a random  key  can  be  generated,  and  a copy  of  the  key  given  to 
each  party.  Although  one  can  imagine  two  users  arranging  such  a meeting  on 
a dark  street  corner,  a more  commonplace  setting  where  this  might  take  place 
is  a standard  work  environment.  For  example,  a manager  might  share  a key 
with  each  employee  on  the  day  when  that  employee  first  shows  up  at  work. 

While  this  might  be  a viable  approach  when  only  the  manager  shares  keys 
with  each  employee,  it  does  not  scale  well  when  all  employees  are  required  to 
share  keys  with  each  other.  Extending  the  above  approach  would  mean  that 
every  time  a new  employee  arrived,  all  other  employees  would  have  to,  share  a 


315 


316 


new  secret  key  with  her.  This  would  be  especially  problematic  if  the  company 
were  large  and  had  offices  in  a number  of  different  physical  locations. 

A partial  solution  in  this  setting  is  to  use  a designated  “controller”  (say,  the 
IT  manager  of  the  company)  to  establish  shared  keys  between  all  employees. 
Specifically,  when  a new  employee  joins  the  company  the  controller  could 
generate  random  keys  /ci, . . .,  give  these  keys  (in  person)  to  the  new  employee, 
and  then  send  key  ki  to  the  ith  existing  employee  by  encrypting  /ci  - using  the 
secret  key  shared  between  the  controller  and  this  employee.  (We  assume 
here  that  the  controller  is  an  employee,  and  so  all  existing  employees  share 
a key  with  him.)  This  is  a very  cumbersome  approach.  More  importantly, 
it  does  not  give  a complete  solution  since  keys  are  not  completely  secret.  A 
dishonest  controller  could  decrypt  all  inter-employee  communication,  and  if 
an  adversary  ever  compromised  the  controller’s  computer  then  all  keys  in  the 
system  would  be  revealed. 


Key  Storage  and  Secrecy 

Consider  again  the  aforementioned  work  environment  where  each  pair  of 
employees  shares  a secret  key.  When  there  are  U employees,  the  number  of 
secret  keys  in  the  system  is  (^)  = 0(f/^).  More  importantly,  this  means 
that  every  employee  holds  U — 1 secret  keys.  In  fact,  the  situation  may  be 
far  worse  because  employees  may  also  need  keys  in  order  to  communicate 
securely  with  remote  resources  such  as  databases,  servers,  and  so  on.  When 
the  organization  in  question  is  large  this  creates  a huge  problem,  on  a number 
of  levels.  First,  the  proliferation  of  many  secret  keys  is  a significant  logistical 
problem.  Second,  all  these  secret  keys  must  be  stored  securely.  The  more 
keys  there  are,  the  harder  it  is  to  protect  them,  and  the  higher  the  chance  of 
some  keys  being  stolen  by  an  adversary.  Computer  systems  are  often  infected 
by  viruses,  worms,  and  other  forms  of  malicious  software.  These  malicious 
programs  can  be  instructed  to  steal  secret  keys  and  send  them  quietly  over 
the  network  to  an  attacker;  such  programs  have  been  deployed  in  the  past 
and  their  existence  is  not  only  a theoretical  threat.  Thus,  storing  keys  on  a 
personal  computer  is  not  always  a reasonable  solution. 

Potential  compromise  of  secret  keys  is  always  a concern,  irrespective  of  the 
number  of  keys  each  party  holds.  When  only  a few  keys  need  to  be  stored, 
however,  there  are  good  solutions  available  for  dealing  with  this  threat.  A 
typical  solution  today  is  to  store  keys  on  a smartcard,  a highly-protected 
hardware  device.  The  smartcard  can  carry  out  cryptographic  computations 
using  the  stored  secret  keys,  ensuring  that  these  keys  never  make  their  way 
onto  users’  personal  computers.  Since  smartcards  are  much  more  resilient 
to  attack  than  personal  computers  — for  example,  they  typically  cannot  be 
infected  by  a virus  — this  offers  a good  means  of  protecting  users’  secret 
keys.  Unfortunately,  smartcards  are  typically  quite  limited  in  memory,  and 
so  cannot  store  hundreds  (or  thousands)  of  keys. 
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In  principle,  of  course,  it  is  possible  to  securely  store  any  number  of  keys  and 
the  problem  of  secure  storage  can  be  solved  by  organizations,  like  governments, 
that  can  devote  significant  resources  to  the  problem,  though  often  at  great 
inconvenience.  The  second  author  once  spoke  to  someone  who  worked  for 
the  US  embassy  in  a Western  European  country  many  years  ago.  His  job 
was  to  decrypt  all  incoming  communications,  and  the  system  was  basically  as 
follows:  Whenever  an  encrypted  message  arrived,  he  took  the  message  to  a 
locked  and  guarded  room  where  all  secret  keys  were  stored.  He  then  found 
the  appropriate  key,  and  used  that  key  to  decrypt  the  message.  The  point  of 
the  story  is  that  governments  and  large-scale  organizations  can  potentially  use 
private- key  cryptography  alone  for  securing  their  communication.  However, 
such  solutions  are  very  costly,  do  not  scale  well,  and  are  not  suitable  for 
settings  that  are  typical  for  industry  or  for  personal  use. 

Open  Systems 

As  discussed  above,  private-key  cryptography  can  be  difficult  to  deploy  and 
maintain,  and  requires  the  management  and  secure  storage  of  a significant 
number  of  keys.  At  least  in  theory,  however,  it  can  be  used  to  solve  the 
problem  of  secure  communication  in  “closed”  systems  where  it  is  possible  to 
distribute  secret  keys  via  physical  means.  Unfortunately,  in  “open”  settings 
where  parties  have  no  way  of  securely  distributing  keys,  private-key  cryptog- 
raphy by  itself  is  simply  insufficient.  For  example,  when  encryption  is  needed 
for  making  a purchase  over  the  Internet,  or  for  sending  email  to  a colleague 
in  another  country  (whom  the  sender  may  never  have  met),  private-key  cryp- 
tography alone  simply  does  not  provide  a solution.  Due  to  its  importance,  we 
reiterate  this  point: 

Solutions  that  are  based  on  private-key  cryptography  are  riot  suffi- 
cient to  deal  with  the  problem  of  secure  communication  in  open  sys- 
tems where  parties  cannot  physically  meet,  or  where  parties  have 
transient  interactions. 

This  situation  means  that  we  must  look  further  for  adequate  solutions. 


9.2  A Partial  Solution  — Key  Distribution  Centers 

As  we  have  described,  there  are  three  distinct  problems  that  arise  with 
respect  to  the  use  of  private- key  cryptography.  The  first  is  that  of  key  dis- 
tribution; the  second  is  that  of  managing  so  many  secret  keys;  and  the  third 
is  the  inapplicability  of  private-key  cryptography  in  open  systems.  Although 
it  is  impossible  to  fully  solve  the  first  problem,  there  is  a solution  that  alle- 
viates the  first  two  problems  and  makes  it  feasible  to  implement  private-key 
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solutions  in  large  organizations.  An  extension  of  the  idea  (that  we  do  not  dis- 
cuss further)  allows  private-key  cryptography  to  be  used  in  “partially-open” 
systems  consisting  of  multiple  organizations  that  mutually  trust  each  other  to 
some  limited  extent. 

Key  distribution  centers.  Consider  again  the  case  of  a large  organization 
where  all  pairs  of  employees' must  be  able  to  communicate  securely.  The  solu- 
tion in  which  each  pair  of  employees  shares  a key  results  in  a huge  proliferation 
of  keys.  A different  approach  is  to  rely  on  the  fact  that  all  employees  may 
trust  some  entity  — say,  the  IT  manager  of  the  organization  — at  least  with 
respect  to  the  security  of  work-related  information.  It  is  therefore  possible 
for  the  IT  manager  to  set  up  a single  server,  called  a key  distribution  cen- 
ter (KDC),  that  can  act  as  an  intermediary  between  employees  that  wish  to 
communicate.  A KDC  can  work  in  the  following  way.  First,  all  employees 
share  a single  key  with  the  KDC;  this  key  can  be  generated  and  shared,  e.g., 
on  the  employee’s  first  day  at  work.  Then,  when  employee  Alice  wants  to 
communicate  securely  with  employee  Bob,  she  sends  a message  to  the  KDC 
saying  'Alice  wishes  to  communicate  with  Bob'  (where  this  message  is 
authenticated  using  the  key  shared  by  Alice  and  the  KDC).  The  KDC  then 
chooses  a new  random  secret  key,  called  a session  key,  and  sends  this  key  to 
Alice  encrypted  using  Alice’s  key,  and  also  to  Bob  encrypted  using  Bob’s  key. 
Once  Alice  and  Bob  recover  the  session  key,  they  can  use  it  to  communicate 
securely.  When  they  are  done  with  their  conversation,  they  can  (and  should) 
erase  this  key  because  they  can  always  contact  the  server  again  should  they 
wish  to  communicate  again  at  some  later  time.  We  remark  that  this  is  just 
a sketch  of  the  solution  and  is  not  sufficient  to  provide  the  necessary  level  of 
security.  (It  is  beyond  the  scope  of  this  book  to  provide  rigorous  definitions 
and  proofs  for  analyzing  these  solutions.)  Nevertheless,  it  is  enough  to  give  a 
feeling  of  how  to  make  private-key  cryptography  workable. 

Consider  the  advantages  of  this  approach; 

1.  Each  employee  needs  to  store  only  one  secret  key  and  so  a smartcard- 
type  solution  can  be  deployed.  It  is  true  that  the  KDC  needs  to  store 
many  keys.  However,  the  KDC  can  be  secured  in  a safe  place  and  given 
the  highest  possible  protection  against  network  attacks. 

2.  When  an  employee  joins  the  organization  all  that  must  be  done  is  to  set 
up  a secret  key  between  this  employee  and  the  KDC.  No  other  employees 
need  to  update  the  set  of  keys  they  hold.  The  same  is  true  when  an 
employee  leaves  the  organization. 

Thus,  this  approach  alleviates  two  problems  related  to  private-key  cryptogra- 
phy: key  distribution  is  simplified  (only  one  new  key  must  be  shared  when  a 
party  joins  the  organization),  and  key  storage  issues  are  resolved  (only  a single 
key  needs  to  be  stored  by  each  party  except  the  KDC).  This  approach  makes 
private-key  cryptography  practical  in  a single  organization,  where  there  is  one 
entity  who  is  trusted  by  everyone.  ^ 
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Having  said  this,  there  are  also  some  disadvantages  to  this  approach: 

1.  A successful  attack  on  the  KDC  will  result  in  a complete  break  of  the 
system  for  all  parties.  Thus,  the  motivation  to  break  into  the  KDC 
is  very  great,  increasing  the  security  risk.  In  addition,  an  adversary 
internal  to  the  organization  who  has  access  to  the  KDC  (for  example, 
the  IT  manager)  can  decrypt  all  communication  between  all  parties. 

2.  The  KDC  is  a single  point  of  failure:  if  the  KDC  crashes,  secure  commu- 
nication is  temporarily  impossible.  Since  all  employees  are  continually 
contacting  the  KDC,  the  load  on  the  KDC  can  be  very  high  thereby 
increasing  the  chances  that  it  may  fall  or  be  slow  to  respond. 

A simple  solution  is  to  replicate  the  KDC.  This  works  (and  is  done  in 
practice),  but  the  existence  of  more  KDCs  means  that  there  are  now 
more  points  of  attack  on  the  system.  Furthermore,  it  becomes  more 
difficult  to  add  or  remove  employees,  since  updates  must  be  securely 
propagated  to  all  KDCs. 

The  KDC-based  solution  above  is  similar  to  the  solution  we  gave  earlier 
whereby  a designated  “controller”  sets  up  shared  keys  between  all  employees 
any  time  a new  employee  joins  the  organization.  In  the  previous  case,  the 
controller  is  essentially  acting  as  an  off-line  KDC.  Since  the  controller  is  only 
involved  in  the  initial  setup,  all  employees  still  need  to  hold  many  secret  keys. 
This  is  in  contrast  to  the  solution  given  here  where  the  KDC  is  online  and  so 
can  be  used  to  interactively  exchange  keys  between  any  pair  of  parties  when 
needed.  This  means  that  each  party  needs  to  store  only  a single  secret  key. 

Protocols  for  key  distribution  using  a KDC.  There  are  a number  of 
protocols  that  can  be  found  in  the  literature  for  secure  key  distribution  using 
a KDC.  One  of  these  is  the  classic  Needham-Schroeder  protocol.  We  will 
not  go  into  the  details  of  this  protocol  (or  any  other)  and  instead  refer  the 
reader  to  the  references  listed  at  the  end  of  this  chapter  for  more  details. 
We  do  mention  one  engineering  feature  of  the  protocol.  When  Alice  contacts 
the  KDC  and  asks  to  communicate  with  Bob,  the  KDC  does  not  send  the 
encrypted  session  key  to  both  Alice  and  Bob.  Rather,  the  KDC  sends  the 
session  key  encrypted  under  both  Alice’s  and  Bob’s  keys  to  Alice,  and  Alice 
herself  forwards  to  Bob  the  session  key  encrypted  under  his  key;  see  Figure  9.1. 
The  protocol  was  designed  in  this  way  due  to  the  fact  that  Bob  may  not  be 
online;  this  could  potentially  cause  a problem  for  the  KDC  who  might  “hang” 
indefinitely  waiting  for  Bob  to  respond.  By  sending  both  encrypted  keys  to 
Alice,  the  KDC  is  relieved  of  maintaining  an  open  session.  The  session  key 
encrypted  under  Bob’s  key  that  the  KDC  sends  to  Alice  is  called  a ticket,  and 
can  be  viewed  as  a credential  allowing  Alice  to  talk  to  Bob. 

We  remark  that  using  a CPA-secure  encryption  scheme  to  encrypt  the  ses- 
sion keys  leaves  the  protocol  vulnerable  to  attack;  it  is  actually  necessary  to 
use  a secure  message  transmission  scheme  as  introduced  in  Section  4.9. 
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FIGURE  9.1;  A general  template  for  key-distribution  protocols. 

In  practice,  protocols  like  the  Needham-Schroeder  protocol  are  widely  used. 
In  many  cases  Alice  and  Bob  might  not  both  be  users,  but  instead  Alice  might 
be  a user  and  Bob  a resource.  For  example,  Alice  may  wish  to  read  from  a 
protected  disk  on  some  server.  Alice  asks  for  “permission”  to  do  this  from  the 
KDC,  who  issues  Alice  a ticket  that  serves  as  Alice’s  credentials  for  reading 
from  that  disk.  This  ticket  contains  a session  key  (as  described  above)  and 
thus  Alice’s  communication  with  the  server  can  be  protected.  A very  widely- 
used  system  for  implementing  user  authentication  and  secure  communication 
via  a KDC  is  the  Kerberos  protocol  that  was  developed  at  MIT.  Kerberos 
has  a number  of  important  features,  and  is  the  method  used  by  Microsoft 
Windows  (in  Windows  2000  and  above)  for  securing  an  internal  network. 

We  conclude  by  noting  that  in  practice  the  secret  key  that  Alice  shares 
with  the  KDC  is  often  a short,  easy-to-memorize  password  (because  a typical 
user  may  not  have  a smart  card  for  storing  long  secret  keys).  In  this  case, 
many  additional  security  problems  arise  that  must  be  considered  and  dealt 
with.  Once  again,  we  refer  the  interested  reader  to  the  references  listed  at  the 
end  of  this  chapter  for  more  information  about  such  issues  and  how  they  are 
addressed. 


9.3  The  Public-Key  Revolution 

Key  distribution  centers  and  protocols  like  Kerberos  are  very  useful,  and 
are  commonly  used  in  practice.  However,  they  still  cannot  solve  the  prob- 
lem of  key  distribution  in  open  systems  like  the  Internet,  where  there  are 
no  private  channels.  (In  the  KDC  setting,  we  implicitly  assumed  the  exis- 
tence of  a private  channel  that  was  used  to  set  up  an  initial  key  between 
the  employees  and  the  KDC.)  To  achieve  private  communication  without  ever 
communicating  over  a private  channel,  something  radically  different  must  be 
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used.  In  1976,  Whitfield  Diffie  and  Martin  Heilman  published  a paper  with 
an  innocent-looking  title  called  “New  Directions  in  Cryptography”  [47].  The 
influence  of  this  paper  was  enormous.  In  addition  to  introducing  a funda- 
mentally different  way  of  looking  at  cryptography,  it  served  as  one  of  the  first 
steps  toward  moving  cryptography  out  of  the  private  domain  and  into  the 
public  one.  Before  describing  the  basic  ideas  of  Diffie  and  Heilman,  we  quote 
the  first  two  paragraphs  of  their  paper: 

We  stand  today  on  the  brink  of  a revolution  in  cryptography.  The 
development  of  cheap  digital  hardware  has  freed  it  from  the  design 
limitations  of  mechanical  computing  and  brought  the  cost  of  high 
grade  cryptographic  devices  down  to  where  they  can  be  used  in  such 
commercial  applications  as  remote  cash  dispensers  and  computer 
terminals. 

In  turn,  such  applications  create  a need  for  new  types  of  crypto- 
graphic systems  which  minimize  the  necessity  of  secure  key  distri- 
bution channels  and  supply  the  equivalent  of  a written  signature. 

At  the  same  time,  theoretical  developments  in  information  theory 
and  computer  science  show  promise  of  providing  provably  secure 
cryptosystems,  changing  this  ancient  art  into  a science. 

Diffie  and  Heilman  were  not  exaggerating,  and  the  revolution  they  spoke  of 
was  due  in  great  part  to  their  work.  Until  1976,  it  was  well  accepted  that  en- 
cryption simply  could  not  be  done  without  first  sharing  a secret  key.  However, 
Diffie  and  Heilman  observed  that  there  is  a natural  asymmetry  in  the  world: 
that  is,  there  are  certain  actions  that  can  be  easily  performed  but  not  easily 
reversed.  For  example,  padlocks  can  be  locked  without  a key  (i.e.,  easily),  but 
then  cannot  be  reopened.  More  strikingly,  it  is  easy  to  shatter  a glass  vase  but 
extremely  difficult  to  put  it  back  together  again.  Algorithmically,  and  more  to 
the  point,  it  is  easy  to  multiply  two  large  primes  but  difficult  to  recover  these 
primes  from  their  product  (this  is  exactly  the  factoring  problem  discussed  in 
the  previous  chapter).  The  existence  of  such  phenomena  implies  the  possibil- 
ity of  constructing  an  encryption  scheme  that  does  not  rely  on  shared  secrets, 
but  rather  one  for  which  encrypting  is  “easy”  but  reversing  this  operation 
(i.e.,  decrypting)  is  infeasible  for  anyone  other  than  the  designated  receiver. 

In  a bit  more  detail,  we  can  imagine  a cryptosystem  where  there  are  two 
keys  instead  of  one:  one  of  these  keys  is  an  encryption  key,  used  by  senders 
to  encrypt  their  messages,  and  the  other  is  a decryption  key,  used  by  the 
receiver  to  recover  the  message  from  a ciphertext.  Furthermore  — and  here 
it  is  amazing  that  something  of  this  sort  could  possibly  exist!  — the  secrecy 
of  encrypted  messages  should  be  preserved  even  against  an  adversary  who 
knows  the  encryption  key  (but  not  the  decryption  key).  Encryption  schemes 
with  this  property  are  called  asymmetric  or  public-key  encryption  schemes,  in 
contrast  to  the  symmetric,  or  private-key,  encryption  schemes  that  we  have 
seen  so  far.  In  a public-key  encryption  scheme  the  encryption  key  is  called 
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the  public  key,  since  it  is  publicized  by  the  receiver  so  that  anyone  who  wishes 
to  send  an  encrypted  message  may  do  so,  and  the  decryption  key  is  called  the 
private  key  since  it  is  kept  completely  private  by  the  receiver. 

The  invention  of  public-key  encryption  was  indeed  a revolution  in  cryptog- 
raphy. It  is  no  coincidence  that  until  the  late  ’70s  and  early  ’80s,  encryption 
and  cryptography  in  general  belonged  to  the  domain  of  intelligence  and  mili- 
tary organizations.  It  was  only  with  the  advent  of  public-key  techniques  did 
the  use  of  cryptography  spread  to  the  masses. 

A public-key  encryption  scheme  enables  private  communication  without 
ever  relying  on  private  channels.^  A receiver  can  publicize  her  public  key  in 
the  newspaper  or  on  her  webpage,  thus  enabling  anyone  to  send  her  encrypted 
messages.  The  receiver  could  also  simply  send  her  public  key  via  email  to  a 
particular  sender  of  interest,  without  having  to  worry  about  the  fact  that 
an  adversary  eavesdropping  on  all  her  communication  will  also  observe  this 
public  key.^ 

Let  us  summarize  how  public-key  encryption  addresses  the  limitations  of 
the  private- key  setting  as  discussed  in  Section  9.1; 

1.  Public-key  encryption  allows  key  distribution  to  be  done  over  public 
channels.  This  can  potentially  simplify  initial  deployment  of  the  system, 
and  can  also  ease  maintenance  of  the  system  when  parties  join  or  leave. 

2.  Public- key  encryption  vastly  reduces  the  need  to  store  many  secret  keys. 
Even  if  all  pairs  of  parties  want  the  ability  to  communicate  securely,  each 
party  need  only  store  his  own  private  key  in  a secure  fashion.  Other 
parties’  public  keys  can  either  be  obtained  when  needed,  or  stored  in  a 
non-secure  (i.e.,  publicly-readable)  fashion. 

3.  Finally,  public-key  cryptography  is  (more)  suitable  for  open  environ- 
ments where  parties  who  have  never  previously  interacted  want  the  abil- 
ity to  communicate  securely.  For  example,  a merchant  can  post  their 
public  key  on-line;  any  user  making  a purchase  can  obtain  the  mer- 
chant’s public  key,  as  needed,  when  they  need  to  encrypt  their  credit 
card  information. 

In  fairness,  we  should  emphasize  that  the  above  discussion  glosses  over  a 
number  of  issues,  most  importantly  the  need  to  ensure  authentic  distribution 
of  public  keys  in  the  first  place.  The  reader  will  have  to  wait  until  Section  12.8 
for  a more  complete  discussion  of  this  point. 

Public-key  primitives.  Diflie  and  Heilman  actually  introduced  three  dis- 
tinct public-key  (or  asymmetric)  primitives.  The  first  is  that  of  public-key 


^For  now,  however,  we  do  assume  authenticated  channels  whereby  each  party  “knows” 
who  is  communicating  on  the  channel  at  the  other  end.  In  Section  12.8,  when  we  discuss 
certification  authorities  and  public-key  infrastructures,  we  revisit  this  assumption. 

^We  assume  here  that  the  adversary  cannot  replace  her  public  key.  That  is,  we  assume  a 
public  but  authenticated  channel;  see  the  previous  footnote. 
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encryption,  described  above;  we  study  this  notion  in  Chapters  10  and  11. 
The  second  is  a public-key  analogue  of  message  authentication  codes,  called 
digital  signatures  and  is  introduced  in  Chapter  12.  As  with  MACs,  a digi- 
tal signature  scheme  is  used  to  prevent  undetected  tampering  of  a message. 
In  contrast  to  MACs,  however,  authenticity  of  a message  can  be  verified  by 
anyone  knowing  only  the  public  key  of  the  sender.  This  turns  out  to  have 
far-reaching  ramifications.  Specifically,  it  is  possible  to  take  a document  that 
was  digitally  signed  by  Alice  and  present  it  to  a third  party,  say,  a judge,  as 
proof  that  Alice  indeed  signed  the  document.  Since  only  Alice  knows  the  cor- 
responding private  key,  this  serves  as  proof  that  Alice  signed  the  document. 
This  property  is  called  non-repudiation  and  has  extensive  applications  in  elec- 
tronic commerce.  For  example,  it  is  possible  to  digitally  sign  contracts,  send 
signed  electronic  purchase  orders  or  promises  of  payments  and  so  on.  Digital 
signatures  are  also  used  to  aid  in  the  secure  distribution  of  public  keys  within 
a “public-key  infrastructure”.  This  is  discussed  in  more  detail  in  Chapter  12. 

The  third  primitive  introduced  by  Diffie  and  Heilman  is  that  of  interactive 
key  exchange.  An  interactive  key-exchange  protocol  is  a method  whereby 
parties  who  do  not  share  any  secret  information  can  generate  a shared,  secret 
key  by  communicating  over  a public  channel.  The  main  property  guaranteed 
here  is  that  an  eavesdropping  adversary  who  sees  all  the  messages  sent  over 
the  communication  line  does  not  learn  anything  about  the  resulting  secret 
key.  Stopping  to  think  about  it,  the  existence  of  secure  key  exchange  is  quite 
amazing  — it  means  that,  in  principle,  if  you  and  a friend  stand  on  opposite 
sides  of  a room  you  can  shout  messages  to  each  other  in  such  a way  that  will 
allow  you  to  generate  a shared  secret  that  someone  else  (listening  to  everything 
you  say)  cannot  learn  anything  about! 

The  main  difference  between  key  exchange  and  encryption  is  that  the  for- 
rnei  is  an  interactive  protocol,  and  so  both  parties  are  required  to  be  on-line 
simultaneously.  In  contrast,  encryption  is  (typically)  a non-interactive  pro- 
cess and  is  thus  more  appropriate  for  some  applications.  Secure  email,  for 
example,  requires  encryption  because  the  recipient  is  not  necessarily  on-line 
when  the  email  message  is  sent. 

Although  Diffie  and  Heilman  introduced  all  three  of  the  above  primitives 
(i.e.,  public-key  encryption,  digital  signatures,  and  key  exchange),  they  only 
presented  a construction  of  a key-exchange  protocol.  We  describe  the  Diffie- 
Hellman  key-exchange  protocol  in  the  next  section.  A year  later,  Ron  Rivest, 
Adi  Shamir,  and  Len  Adleman  proposed  the  RSA  problem  and  presented 
the  first  public-key  encryption  and  digital  signature  schemes  based  on  the 
hardness  of  this  problem.  Variants  of  their  schemes  are  now  among  the  most 
widely  used  cryptographic  schemes  today.  Interestingly,  in  1985,  El  Gamal 
presented  an  encryption  scheme  that  is  essentially  a slight  twist  on  the  Diffie- 
Hellman  key-exchange  protocol.  Thus,  although  Diffie  and  Heilman  did  not 
succeed  in  constructing  a (non-interactive)  public-key  encryption  scheme,  they 
came  very  close. 
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History.  It  is  fascinating  to  read  about  the  history  leading  to  the  public-key 
revolution  initiated  by  Difhe  and  Heilman.  Similar  ideas  were  being  worked 
on  by  others  around  the  same  time.  Another  researcher  doing  similar  and  in- 
dependent work  was  Ralphe  Merkle,  considered  by  many  to  be  a co-inventor 
of  public- key  cryptography  (though  he  published  after  Difhe  and  Heilman). 
We  mention  also  the  work  of  Michael  Rabin,  who  developed  constructions  of 
signature  schemes  and  public-key  encryption  schemes  based  on  the  hardness 
of  factoring  about  1 year  after  the  work  of  Rivest,  Shamir,  and  Adleman.  It 
appears  also  that  a public-key  encryption  scheme  was  known  to  the  intelli- 
gence world  (at  the  British  intelligence  agency  GCHQ)  in  the  early  1970s, 
prior  to  the  publication  of  the  Diffie-Hellman  paper.  Although  the  underlying 
mathematics  of  public-key  encryption  may  have  been  discovered  before  1976, 
it  is  fair  to  say  that  the  widespread  ramifications  of  this  new  technology  were 
not  appreciated  until  Diffie  and  Heilman  came  along. 

At  the  time  their  work  was  carried  out,  Diffie  and  Heilman  (and  others  pub- 
lishing papers  in  cryptography)  were  essentially  under  threat  of  prosecution. 
This  is  due  to  the  fact  that  under  the  International  Traffic  in  Arms  Regula- 
tions (ITAR),  technical  literature  on  cryptography  was  considered  an  imple- 
ment of  war.  Although  cryptographic  publications  soon  became  accepted  and 
widespread,  at  the  time  they  were  considered  by  some  to  be  highly  sensitive. 
Heilman  tells  a story  where  he  personally  gave  a conference  presentation  of 
joint  work  with  Ralph  Merkle  and  Steven  Pohlig  (who  were  graduate  students 
at  the  time)  because  Stanford’s  general  counsel  recommended  that  students 
not  present  the  paper  lest  they  be  prosecuted.  Fortunately,  the  US  govern- 
ment did  not  pursue  this  route  and  publications  in  cryptography  were  allowed 
to  continue.  (The  US  still  imposes  limitations  on  the  export  of  cryptographic 
implementations.  Since  2000,  however,  these  restrictions  have  been  greatly 
relaxed  and  are  today  hardly  felt  at  all.) 


9.4  Diffie-Hellman  Key  Exchange 

In  this  section  we  present  the  Diffie-Hellman  key-exchange  protocol  and 
prove  its  security  in  the  presence  of  eavesdropping  adversaries.  Security 
against  a passive,  eavesdropping  adversary  is  a relatively  weak  guarantee, 
and  we  emphasize  that  in  practice  security  must  hold  even  against  active  ad- 
versaries who  may  intercept  and  modify  messages  sent  between  the  parties. 
We  will  not  define  a notion  of  security  for  such  adversaries,  however,  as  this 
material  is  beyond  the  scope  of  this  book.  (Moreover,  we  are  interested  here 
in  the  setting  where  the  parties  have  no  shared  cryptographic  keys  to  begin 
with,  in  which  case  there  is  not  much  that  can  be  done  to  prevent  an  adversary 
from  impersonating  one  of  the  parties.) 
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The  setting  and  definition  of  security.  We  consider  a setting  with  two 
parties  Alice  and  Bob  who  run  some  protocol  in  order  to  generate  a shared, 
secret  key;  we  denote  the  protocol  by  II  (thus,  II  can  be  viewed  as  the  set 
of  instructions  for  Alice  and  Bob  in  the  protocol).  Alice  and  Bob  begin  by 
holding  the  security  parameter  1”^;  they  then  choose  (independent)  random 
coins  and  run  the  protocol  II.  At  the  end  of  the  protocol,  Alice  and  Bob  output 
keys  kA:kB  ^ {0, 1}”^,  respectively.  The  basic  correctness  requirement  we  will 
impose  on  II  is  that  it  should  always  hold  that  kA  = (i-e.,  for  all  choices 

of  random  coins  by  Alice  and  Bob).  Since  we  will  only  deal  with  protocols 
that  satisfy  this  requirement,  we  will  speak  simply  of  the  key  k = kA  = kB 
generated  by  an  honest  execution  of  II. 

We  now  turn  to  defining  security.  Intuitively,  a key-exchange  protocol  is 
secure  if  the  key  output  by  Alice  and  Bob  is  completely  unknown  to  an  eaves- 
dropping adversary.  This  is  formally  defined  by  requiring  that  an  adversary 
who  has  eavesdropped  on  an  execution  of  the  protocol  should  be  unable  to 
distinguish  the  key  k generated  by  that  execution  (and  now  shared  by  Alice 
and  Bob)  from  a completely  random  key  of  length  n.  This  is  much  stronger 
than  simply  requiring  that  the  adversary  be  unable  to  compute  k exactly,  and 
this  stronger  notion  is  necessary  if  the  parties  will  use  k to  perform  some 
cryptographic  task  (e.g.,  to  use  k within  a private-key  encryption  scheme). 

Formalizing  the  above.  Let  II  be  a key-exchange  protocol,  A an  adversary, 
and  n the  security  parameter.  We  have  the  following  experiment: 

The  key-exchange  experiment  KE^)'n(n): 

1.  Two  parties  holding  execute  protocol  II.  This  execution 
of  the  protocol  results  in  a transcript  trans  containing  all  the 
messages  sent  by  the  parties,  and  a key  k that  is  output  by 
each  of  the  parties. 

2.  A random  bit  b ■<—  {0, 1}  is  chosen.  If  b = 0 then  choose 
k <—  {0,  !}”■  uniformly  at  random,  and  ifb  = 1 set  k :=  k. 

3.  A is  given  trans  and  k,  and  outputs  a bit  b' . 

4.  The  output  of  the  experiment  is  defined  to  be  1 ifb'=  b,  and 
0 otherwise,  fin  case  KE^)'n(n)  = 1,  we  say  that  A succeeds.) 

The  fact  that  A is  given  the  transcript  trans  reflects  the  fact  that  A eavesdrops 
on  the  entire  execution  of  the  protocol  and  thus  sees  all  messages  exchanged 
by  the  parties.  In  the  real  world,  of  course,  A would  not  be  given  any  key; 
in  the  experiment  above  the  adversary  is  given  k only  as  a means  of  defining 
what  it  means  for  A to  “break”  the  security  of  II.  That  is,  the  adversary 
succeeds  in  “breaking”  II  if  it  can  correctly  determine  whether  the  key  k it 
was  given  is  the  “correct”  key  corresponding  to  the  given  execution  of  the 
protocol,  or  whether  fc  is  a completely  random  key  that  is  independent  of  the 
transcript.  As  expected,  we  say  that  II  is  secure  if  the  adversary  succeeds 
with  probability  that  is  at  most  negligibly  greater  than  1/2.  That  is: 
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DEFINITION  9.1  A key-exchange  protocol  II  is  secure  in  the  presence  of 
an  eavesdropper  if  for  every  probabilistic  polynomial-time  adversary  A there 
exists  a negligible  function  negl  such  that 

Pr  [KE^^nM  = l]  < ^ + negl(n). 

The  aim  of  a key-exchange  protocol  is  almost  always  to  generate  a shared 
key  k that  will  be  used  by  the  parties  for  some  further  cryptographic  pur- 
pose, e.g.,  to  encrypt  and  authenticate  their  subsequent  communication  using 
private-key  encryption  and  message  authentication  codes,  respectively.  Intu- 
itively, we  expect  this  approach  to  be  secure  since  the  key  k “looks  like”  a 
random  key.  Nevertheless,  the  above  definition  says  nothing  about  whether 
such  usage  of  the  key  will  actually  achieve  the  desired  security  properties  and 
it  is  always  dangerous  to  rely  on  intuition  alone.  Fortunately,  it  is  possible  to 
prove  that  the  above  definition  suffices  for  this  application;  see  Exercise  9.1. 

The  DifRe-Hellman  key-exchange  protocol.  We  now  describe  the  key- 
exchange  protocol  that  appeared  in  the  original  paper  by  Diffie  and  Heilman 
(though  they  were  less  formal  than  we  will  be  here).  Let  ^ be  a probabilistic 
polynomial-time  algorithm  that,  on  input  1”^,  outputs  a (description  of  a) 
cyclic  group  G,  its  order  q (with  ||g||  = n),  and  a generator  p of  G.  (As 
usual,  we  also  require  that  the  group  operation  in  G can  be  computed  in  time 
polynomial  in  n.)  See,  e.g..  Section  7.3.3  for  one  possibility  for  Q.  The  Diffie- 
Hellman  key-exchange  protocol,  described  for  two  parties  Alice  and  Bob,  is 
given  as  Construction  9.2  and  illustrated  in  Figure  9.2. 


CONSTRUCTION  9.2 

• Common  input:  The  security  parameter  1” 

• The  protocol: 

1.  Alice  runs  Q{C)  to  obtain  (G,q,g). 

2.  Alice  chooses  x Zq  uniformly  at  random,  and  computes 
hi  :=g\ 

3.  Alice  sends  (G,  q,  g,  hi)  to  Bob. 

4.  Bob  receives  (G,  q,  g,hi).  He  chooses  y <—  Zq  uniformly  at 
random  and  computes  h2  :=  g^-  Bob  sends  h-2  to  Alice  and 
outputs  the  key  ks  ■=  h\. 

5.  Alice  receives  h-2  and  outputs  the  key  kA  '■=  hf. 

The  Diffie-Hellman  key-exchange  protocol. 

In  our  description,  we  have  assumed  that  Alice  generates  (G,  g,  g)  and  sends 
these  to  Bob  with  her  first  message.  In  certain  settings  — say,  when  Alice  and 
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Bob  are  both  employees  in  the  same  company,  or  when  they  both  trust  some 
centralized  authority  — it  is  possible  that  both  parties  have  instead  agreed 
upon  {G,q^g)  in  advance,  in  which  case  Alice  need  only  send  hi,  and  Bob 
need  not  wait  to  receive  Alice’s  message  before  computing  and  sending  h,2. 


Alice  Bob 

Zq 

hi  ;=  g^  Gr>M>9,hx 


kA  :=  h/ 


FIGURE  9.2:  The  Diffie-Hellman  key-exchange  protocol. 

It  is  not  hard  to  see  that  the  protocol  is  correct:  Bob  computes  the  key 

kB  = h\  = {g^)y  = g-y 
and  Alice  computes  the  key 

kA  = h^=\gyr  = g-y, 

and  so  Ica  = ks-  (The  observant  reader  will  note  that  the  shared  key  is  a 
group  element,  not  a bit-string.  We  will  return  to  this  point  later.)  We  now 
focus  on  security  of  the  protocol. 

Diffie  and  Heilman  did  not  prove  security  of  their  protocol;  indeed,  the 
appropriate  notions  (both  the  definitional  framework  as  welTas  the  idea  of 
formulating  precise  assumptions)  were  not  yet  in  place.  Let  us  see  what  sort 
of  assumption  will  be  needed  in  order  for  the  protocol  to  be  secure.  A first 
observation,  made  also  by  Diffie  and  Heilman,  is  that  a minimal  requirement 
for  security  of  the  protocol  is  for  the  discrete  logarithm  problem  to  be  hard 
relative  to  If  not,  then  an  adversary  given  the  transcript  can  compute 
the  secret  value  of  one  of  the  parties  and  then  easily  compute  the  key:  i.e., 
given  g and  hi  — and  assuming  the  discrete  logarithm  problem  is  easy  — 
an  adversary  can  compute  x :=  log^  hi  (which  is  Alice’s  secret  value)  and 
then  compute  Ica  ■=  hf  just  as  Alice  does.  So,  hardness  of  the  discrete  loga- 
rithm problem  is  necessary  for  the  protocol  to  be  secure.  It  is  not,  however. 


y*-  Zq 
K :=  9^ 

kB  := 
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sufficient,  as  is  possible  that  there  may  be  other  ways  of  computing  the  key 
= ks  without  explicitly  finding  x or  y.  The  computational  Diffie- Heilman 
assumption  — which  would  only  guarantee  that  the  key  is  hard  to  compute 
in  its  entirety  — does  not  suffice  either.  What  is  required  by  Definition  9.1  is 
exactly  that  should  be  indistinguishable  from  random  for  any  adversary 
given  g,  g^,  and  g^ . This  is  exactly  the  decisional  Diffie- Heilman  assumption 
introduced  in  Section  7.3.2. 

As  we  will  see,  a proof  of  security  for  the  protocol  follows  almost  imme- 
diately from  this  assumption.  This  should  not  be  surprising,  as  the  Diffie- 
Hellman  assumptions  were  introduced  — well  after  Diffie  and  Heilman  pub- 
lished their  paper  — as  a way  of  abstracting  the  properties  underlying  the 
observed  security  of  the  Diffie-Hellman  key-exchange  protocol.  Given  this, 
it  is  fair  to  ask  whether  anything  is  gained  by  defining  and  proving  secu- 
rity in  the  first  place.  By  this  point  in  the  book,  hopefully  you  are  already 
convinced  the  answer  is  yes\  by  precisely  defining  secure  key  exchange  we 
are  forced  to  think  about  exactly  what  security  properties  we  require  (and, 
consequently,  can  study  what  security  properties  Diffie-Hellman  key  exchange 
achieves);  by  specifying  a precise  assumption  (that  is,  the  decisional  Diffie- 
Hellman  assumption)  we  can  study  this  assumption  independently  of  any 
particular  application;  finally,  once  we  have  become  convinced  that  the  de- 
cisional Diffie-Hellman  assumption  is  valid  we  can  construct  other  protocols 
relying  on  the  same  underlying  assumption. 

For  completeness,  we  now  prove  security  of  the  Diffie-Hellman  key-exchange 
protocol  based  on  the  decisional  Diffie-Hellman  assumption.  Actually,  we  are 
going  to  “cheat”  and  not  prove  it  secure  with  respect  to  Definition  9.1.  In 
fact,  the  protocol  as  described  in  Construction  9.2  is  not,  in  general,  secure 
with  respect  to  this  definition.  The  issue  is  that  Definition  9.1  requires  the  key 
output  by  the  parties  to  be  indistinguishable  from  a random  string,  whereas  we 
will  only  be  able  to  prove  that  the  output  of  the  parties  in  Construction  9.2  is 
indistinguishable  from  a random  element  of  G.  (In  general,  a random  group 
element  will  look  very  different  from  a random  string.)  This  discrepancy 
needs  to  be  addressed  if  the  protocol  is  to  be  used  in  practice  — after  all, 
group  elements  are  not  typically  very  useful  as  cryptographic  keys  — and  we 
briefly  discuss  one  standard  way  to  do  so  following  the  proof.  For  now,  we  let 

^~eav 

KE^  n(j^)  denote  a modified  experiment  where  if  6 = 0 the  adversary  is  given 
fc  G chosen  uniformly  at  random,  instead  of  a random  string. 

THEOREM  9.3  If  the  decisional  Diffie-Hellman  problem  is  hard  relative 
to  Q,  then  the  Diffie-Hellman  key-exchange  protocol  H is  secure  in  the  presence 

- — -eav 

of  an  eavesdropper  {with  respect  to  the  modified  experiment  KE^  n). 


PROOF  The  intuition  behind  the  proof  has  been  given  above  and  we 
therefore  proceed  immediately  to  the  details.  Let  .A  be  a p^t  adversary. 
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Since  Pr[6  = 0]  = Pr[6  = 1]  = 1/2,  we  have 


Pr  n(’*)  = 1 

KE“,n(>J) 


(9.1) 


I- 


= 116  = 1 


+ --Pr 


= 1 I 6 = 0 


In  experiment  KE^n(n)  the  adversary  A receives  {G^q,g,hi,h2ik) , where 
the  first  set  of  values  (G,  g,  g,  hi,  /12)  represents  the  transcript  of  the  protocol 
execution,  and  where  k is  either  the  actual  key  g^^  computed  by  the  parties 
(if  6 = 1)  or  a random  group  element  (if  6 = 0).  Distinguishing  between 
these  two  cases  is  exactly  equivalent  to  solving  the  decisional  Diffie-Hellman 
problem.  That  is,  using  Equation  (9.1): 


Pr 


= - Pr 
2 


— 1 I 6 — 1 


+ --Pr 


= 1 I 6 = 0 


= i • Pr[A{Q,g,q,g"',g'^ ,g""y)  = 1]  + ^ • Px[A{G,q,g,g'^ ,g'^ ,g"‘)  = 0] 

= i • = 1)  + i . (1  - Pr[^(G,9,^.9^^^s‘)  = ,1]) 

= 1 + 1'  (Pr[.4(G,s,9,s*,9»,9*i')  = 1]  -Pr[.4(G,<,,s,9*,s»,ff")  = 1]) 
<1  + ^ ■ |Pr[.4(G,s,ij,g*,a>',s*")  = 1)  - Pr[.4(G,ij,ff,5‘',s",s*)  = 1]|  , 


where  the  probabilities  in  the  final  three  lines  are  taken  over  (G,q,g)  output 
by  ^(1”'),  and  x,y,z  •«—  Zg  chosen  uniformly  at  random.  (Note  that,  since  5 
is  a generator,  g^  is  a uniformly  distributed  element  of  G when  2:  is  uniformly 
distributed  in  Zg.)  If  the  decisional  Diffie-Hellman  assumption  is  hard  relative 
to  Q,  that  exactly  means  that  there  exists  a negligible  function  negl  for  which 


\Pr[A{Q,g,q,g^,gy,g'^y)  = 1]  -Px[A{G,q,g,g^ ,g^ ,g^)  = 1]|  < negl(n). 
We  conclude  that 


Pr 


-eav 


KE^,n(^)=l  < ^ + ^ • negl(n). 


completing  the  proof. 


Random  group  elements  vs.  random  strings.  The  previous  theorem 
shows  that  the  key  output  by  Alice  and  Bob  is  computationally  indistinguish- 
able from  a random  group  element  (for  a polynomial-time  eavesdropper).  For 
this  key  to  be  useful  for  subsequent  cryptographic  operations,  however,  it 
should  be  indistinguishable  from  a random  string  of  some  appropriate  length. 
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This  can  be  achieved  by  mapping  group  elements  to  strings  in  some  way 
that  “preserves  uniformity” . Efficient  techniques  for  doing  so  exist,  and  these 
are  called  “randomness  extractors” . These  are  by  now  relatively  standard  in 
computer  science,  but  are  beyond  the  scope  of  this  book. 

Active  adversaries.  So  far  we  have  considered  only  the  case  of  an  eaves- 
dropping adversary.  Although  eavesdropping  attacks  are  by  far  the  most 
common  (as  they  are  so  easy  to  carry  out),  they  are  by  no  means  the  only 
possible  attack.  Active  attacks,  in  which  the  adversary  sends  messages  of 
its  own  to  one  or  both  of  the  parties  are  also  a concern,  and  any  protocol 
used  in  practice  must  be  resilient  to  active  attacks  as  well.  When  considering 
active  attacks,  it  is  useful  to  distinguish,  informally,  between  impersonation 
attacks  where  only  one  of  the  honest  parties  is  executing  the  protocol  and 
the  adversary  impersonates  the  other  party,  and  man-in- the-middle  attacks 
where  both  honest  parties  are  executing  the  protocol  and  the  adversary  is 
intercepting  and  modifying  messages  being  sent  from  one  party  to  the  other. 

We  will  not  define  security  against  either  class  of  attacks,  as  such  a defini- 
tion is  rather  involved  and  also  cannot  be  achieved  without  the  parties  sharing 
some  information  in  advance.  Nevertheless,  it  is  worth  remarking  that  the 
Diffie-Hellman  protocol  is  completely  insecure  against  man-in-the-middle  at- 
tacks. In  fact,  a man-in-the-middle  adversary  can  act  in  such  a way  that  Alice 
and  Bob  terminate  the  protocol  with  different  keys  kA  and  ks  that  are  both 
known  to  the  adversary,  yet  neither  Alice  nor  Bob  can  detect  that  any  attack 
was  carried  out.  We  leave  the  details  of  this  attack  as  an  exercise. 

The  fact  that  the  Diffie-Hellman  protocol  is  not  resilient  to  man-in-the- 
middle  attacks  does  not  detract  in  any  way  from  its  importance.  The  Diffie- 
Hellman  protocol  served  as.  the  first  demonstration  that  asymmetric  tech- 
niques (and  number-theoretic  problems)  could  be  used  to  alleviate  the  prob- 
lems of  key  distribution  in  cryptography.  Furthermore,  extensions  of  the 
Diffie-Hellman  protocol  can  be  shown  to  prevent  man-in-the-middle  attacks, 
and  such  protocols  are  widely  used  today. 

The  Diffie-Hellman  key-exchange  protocol  in  practice.  The  Diffie- 
Hellman  protocol  in  its  basic  form  is  typically  not  used  in  practice  due  to  its 
insecurity  against  man-in-the-middle  attacks,  as  discussed  above.  However, 
it  does  form  the  nucleus  of  other  key-exchange  protocols  that  are  resilient  to 
man-in-the-middle  attacks  and  are  in  wide  use  today.  One  notable  example  of 
a standardized  protocol  that  relies  on  Diffie-Hellman  key  exchange  is  IPsec. 


References  and  Additional  Reading 

We  have  only  briefly  discussed  the  problems  of  key  distribution  and  key 
management  in  general.  For  more  information,  we  recommend  looking  at 
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textbooks  on  network  security.  Our  favorite  is  the  one  by  Kaufman  et  al.  [87] , 
which  provides  an  excellent  treatment  of  different  protocols  for  secure  key 
distribution,  what  they  aim  to  achieve,  and  how  they  work. 

We  highly  recommend  reading  the  original  paper  by  Diffie  and  Heilman  [47] . 
The  history  of  the  development  of  public-key  cryptography  is  a fascinating 
one;  the  book  by  Levy  [95]  focuses  on  the  political  and  historical  aspects  of 
the  public-key  revolution. 


Exercises 

9.1  Consider  the  following  interactive  protocol  H'  for  encrypting  a message: 
first,  the  sender  and  receiver  run  a key-exchange  protocol  H to  generate 
a shared  key  k.  Next,  the  sender  computes  c ■«—  EnCjt(m)  and  sends  c to 
the  other  party,  who  can  decrypt  and  recover  m using  k. 

(a)  Formulate  a definition  of  indistinguishable  encryptions  in  the  pres- 
ence of  an  eavesdropper  (cf.  Definition  3.8)  appropriate  for  this 
interactive  setting. 

(b)  Prove  that  if  H is  secure  in  the  presence  of  an  eavesdropper  and 
(Gen,  Enc,  Dec)  is  a private-key  encryption  scheme  that  has  indis- 
tinguishable encryptions  in  the  presence  of  an  eavesdropper,  then 
n'  satisfies  your  definition  given  previously. 

9.2  Describe  in  detail  a man-in-the- middle  attack  on  the  Diffie-Hellman  key- 
exchange  protocol  whereby  the  adversary  ends  up  sharing  a key  kA  with 
Alice  and  a (different)  key  ks  with  Bob,  and  Alice  and  Bob  cannot  detect 
that  anything  has  gone  wrong.  ' 

What  happens  if  Alice  and  Bob  try  to  detect  the  presence  of  a man-in- 
the-middle  adversary  by  sending  each  other  (encrypted)  questions  that 
only  the  other  party  would  know  how  to  answer? 

9.3  Consider  the  following  key-exchange  protocol: 

(a)  Alice  chooses  k,r  <—  {0,1}”'  at  random,  and  sends  s :=  /c  0 r to 
Bob. 

(b)  Bob  chooses  t *—  {0, 1}”  at  random  and  sends  u :=  s © Tto  Alice. 

(c)  Alice  computes  w :=  u © r and  sends  w to  Bob. 

(d)  Alice  outputs  k and  Bob  computes  w ®t. 

Show  that  Alice  and  Bob  output  the  same  key.  Analyze  the  security  of 
the  scheme  (i.e.,  either  prove  its  security  or  show  a concrete  attack). 


Chapter  10 


Public-Key  Encryption 


10.1  Public-Key  Encryption  — An  Overview 

As  discussed  in  the  previous  chapter,  the  introduction  of  public-key  en- 
cryption marked  a revolution  in  the  field  of  cryptography.  Until  that  time, 
cryptographers  had  relied  exclusively  on  shared,  secret  keys  to  achieve  private 
communication.  Public-key  techniques,  in  contrast,  enable  parties  to  commu- 
nicate privately  without  having  agreed  on  any  secret  information  in  advance. 
As  noted  previously,  (in  a slightly  different  context),  it  is  quite  amazing  and 
counter-intuitive  that  this  is  possible:  it  means  that  two  people  on  opposite 
sides  of  a room  who  can  only  communicate  by  shouting  to  each  other,  and 
have  no  initial  secret,  can  talk  in  such  a way  that  no  one  else  in*  the  room 
learns  anything  about  what  they  are  saying! 

In  the  setting  of  private-key  encryption,  two  parties  agree  on  a secret  key 
k which  can  be  used  (by  either  party)  for  both  encryption  and  decryption. 
Public-key  encryption  is  asymmetric  in  both  these  respects.  Specifically,  one 
party  (the  receiver)  generates  a pair  of  keys  (pk,  sk),  called  the  public  key  and 
the  private  key,  respectively.  The  public  key  is  used  by  a sender  to  encrypt 
a message  for  the  receiver;  the  receiver  then  uses  the  private  key  to  decrypt 
the  resulting  ciphertext. 

Since  the  goal  is  to  avoid  the  need  for  two  parties  to  meet  in  advance  to 
agree  on  any  information,  how  does  the  sender  learn  pkl  At  an  abstract  level, 
there  are  essentially  two  ways  this  can  occur.  Let  us  call  the  receiver  Alice 
and  the  sender  Bob.  If  Alice  knows  that  Bob  wants  to  communicate  with  her, 
she  can  at  that  point  generate  (pk,  sk)  (assuming  she  hasn’t  done  so  already) 
and  then  send  pk  in  the  clear  to  Bob;  Bob  can  then  use  pk  to  encrypt  his 
message.  We  emphasize  that  the  channel  between  Alice  to  Bob  may  be  public, 
but  is  assumed  to  be  authenticated,  meaning  that  the  adversary  cannot  modify 
the  key  sent  by  Alice  to  Bob  (and,  in  particular,  cannot  replace  it  with  its 
own  key).  It  is  possible  to  use  digital  signatures  to  alleviate  this  problem; 
see  Section  12.8  for  a discussion  of  how  public  keys  can  be  distributed  over 
unauthenticated  channels. 

An  alternative  way  to  picture  the  situation  is  that  Alice  generates  her  keys 
(pk,  sk)  in  advance,  independent  of  any  particular  sender.  (In  fact,  at  the 
time  of  key  generation  Alice  need  not  even  be  aware  that  Bob  wants  to  talk 
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to  her  or  even  that  Bob  exists!)  Then  Alice  widely  disseminates  her  public 
key  pk,  say,  by  publishing  it  on  her  webpage,  putting  it  on  her  business  cards, 
publishing  it  in  a newspaper,  or  placing  it  in  a public  directory.  Now,  anyone 
who  wishes  to  communicate  privately  with  Alice  can  look  up  her  public  key 
and  proceed  as  above.  Note  that  multiple  senders  can  communicate  multiple 
times  with  Alice  using  the  same  public  key  pk  for  all  communication. 

An  important  point  is  that  pk  is  inherently  public  — and,  more  to  the  point, 
can  easily  be  learned  by  an  attacker  — in  either  of  the  above  scenarios.  In  the 
first  case,  an  adversary  eavesdropping  on  the  communication  between  Alice 
and  Bob  obtains  pk  by  simply  listening  to  the  first  message  that  Alice  sends 
Bob;  in  the  second  case,  an  adversary  could  just  as  well  look  up  Alice’s  public 
key  on  his  own.  A consequence  is  that  the  security  of  public-key  encryption 
cannot  rely  on  the  secrecy  of  pk,  but  must  instead  rely  on  the  secrecy  oi  sk.  It 
is  therefore  crucial  that  Alice  not  reveal  her  private  key  to  anyone,  including 
the  sender  Bob. 

Comparison  to  Private-Key  Encryption 

Perhaps  the  most  obvious  difference  between  private-  and  public-key  en- 
cryption is  that  the  former  assumes  complete  secrecy  of  all  cryptographic 
keys,  whereas  the  latter  requires  secrecy  for  “only”  half  the  key-pair  (pk,sk). 
Although  this  might  seem  like  a minor  distinction,  the  ramifications  are  huge: 
in  the  private-key  setting  the  communicating  parties  must  somehow  be  able 
to  share  the  secret  key  without  allowing  any  third  party  to  learn  it;  in  the 
public-key  setting,  the  public  key  can  be  sent  from  one  party  to  the  other  over 
a public  channel  without  compromising  security.  For  parties  shouting  across 
a room  or,  more  realistically,  communicating  entirely  over  a public  network 
like  a phone  line  or  the  Internet,  public-key  encryption  is  the  only  option. 

Another  important  distinction  is  that  private-key  encryption  schemes  use 
the  same  key  for  both  encryption  and  decryption,  while  public-key  encryp- 
tion schemes  use  different  keys  for  each  operation.  For  this  reason,  public -key 
encryption  schemes  are  sometimes  called  asymmetric.  This  asymmetry  in  the 
public-key  setting  means  that  the  roles  of  sender  and  receiver  are  not  inter- 
changeable the  way  they  are  in  the  private-key  setting:  a given  instance  of 
a public-key  encryption  scheme  allows  communication  in  one  direction  only. 
(This  can  be  addressed  in  any  of  a number  of  ways,  but  the  point  is  that  a 
single  invocation  of  a public-key  encryption  scheme  forces  a distinction  be- 
tween one  user  who  acts  as  a receiver  and  other  users  who  act  as  senders.)  On 
the  other  hand,  a single  instance  of  a public-key  encryption  scheme  enables 
multiple  senders  to  communicate  privately  with  a single  receiver,  in  contrast 
to  the  private-key  case  where  a secret  key  shared  between  two  parties  enables 
only  those  two  parties  to  communicate  privately. 

Summarizing  and  elaborating  the  preceding  discussion,  we  see  that  public- 
key  encryption  has  the  following  advantages  relative  to  private-key  encryption 
(see  also  the  extensive  discussion  in  the  previous  chapter): 
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• The  most  important  advantage  is  that  public-key  encryption  addresses 
(to  some  extent)  the  key . distribution  problem  since  communicating  par- 
ties do  not  need  to  secretly  share  a key  in  advance  of  their  communica- 
tion. Public-key  encryption  allows  two  parties  to  communicate  secretly 
even  if  all  communication  between  them  is  monitored. 

• In  the  case  that  one  receiver  is  communicating  with  U senders  (e.g., 
an  on-line  merchant  processing  credit  card  orders  from  multiple  pur- 
chasers), it  is  much  more  convenient  for  the  receiver  to  store  a single 
private  key  sk  rather  than  to  share,  store,  and  manage  U different  secret 
keys  (i.e.,  one  for  each  sender).  In  fact,  when  using  public-key  encryption 
the  number  and  identities  of  the  potential  senders  need  not  be  known 
at  the  time  of  key-generation.  This  allows  enormous  flexibility,  and  is 
clearly  essential  for  an  on-line  merchant. 

The  main  disadvantage  of  public-key  encryption  is  that  it  is  at  least  2 to 
3 orders  of  magnitude  slower  than  private-key  encryption.^  This  means,  for 
example,  that  it  can  be  a challenge  to  implement  public-key  encryption  in 
severely  resource-constrained  devices  like  smartcards  or  radio-frequency  iden- 
tification (RFID)  tags.  Even  when  a powerful  computer  is  performing  cryp- 
tographic operations,  carrying  out  many  hundreds  of  such  operations  may  be 
prohibitive  (this  is  actually  quite  common  as  in  the  case  of  a server  process- 
ing credit-card  transactions  for  an  on-line  merchant).  In  any  case,  we  may 
conclude  that  if  private-key  encryption  is  an  option  (i.e.,  if  two  parties  can 
securely  share  a key  in  advance)  it  should  always  be  used. 

In  fact,  private-key  encryption  is  used  in  the.  public-key  setting  to  improve 
the  efficiency  of  the  (public-key)  encryption  of  long  messages;  this  is  discussed 
further  in  Section  10.3.  A thorough  understandiiig  of  private-key  encryption  is 
therefore  crucial  to  fully  appreciate libw  public-key  encryptibiils  iniplemented 
in  practice. 

Secure  Distribution  of  Public  Keys 

In  our  entire  discussion  thus  far,  we  have  implicitly  assumed  that  the  ad- 
versary is  passive]  that  is,  the  adversary  only  eavesdrops  on  communication 
between  the  sender  and  receiver  but  does  not  actively  interfere  with  the  com- 
munication. If  the  adversary  has  the  ability  to  tamper  with  all  communication 
between  the  honest  parties,  and  these  honest  parties  hold  no  shared  keys,  then 
privacy  simply  cannot  be  achieved.  For  example,  if  a receiver  Alice  sends  her 
public  key  pk  to  Bob  but  the  adversary  replaces  this  public  key  with  a key 
pk'  of  his  own  (for  which  it  knows  the  matching  private  key  sk'),  then  even 
though  Bob  encrypts  his  message  using  pk'  the  adversary  will  easily  be  able 


^It  is  difficult  to  give  an  exact  comparison  since  the  relative  efficiency  depends  on  the  exact 
schemes  under  consideration  as  well  as  various  implementation  details. 
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to  recover  this  message  (using  sk').  A similar  attack  works  if  an  adversary  is 
able  to  change  the  value  of  Alice’s  public  key  that  is  stored  in  some  public  di- 
rectory, or  if  the  adversary  can  tamper  with  the  public  key  as  it  is  transmitted 
from  the  directory  to  Bob.  If  Alice  and  Bob  do  not  share  any  information  in 
advance,  or  do  not  rely  on  some  mutually-trusted  third  party,  there  is  nothing 
Alice  or  Bob  can  do  to  prevent  active  attacks  of  this  sort,  or  even  to  tell  that 
such  an  attack  is  taking  place. ^ Looking  ahead,  we  will  discuss  in  Section  12.8 
how  mild  reliance  on  a trusted  third  party  can  be  used  to  address  such  attacks. 

Our  treatment  of  public-key  encryption  in  this  and  the  next  chapter  will 
simply  assume  that  senders  have  a legitimate  copy  of  the  receiver’s  public 
key.  (This  will  be  implicit  in  the  security  definitions  we  provide.)  That  is, 
we  assume  secure  key  distribution.  This  assumption  is  made  not  because 
active  attacks  of  the  type  discussed  above  are  of  no  concern  — in  fact,  they 
represent  a serious  threat  that  must  be  dealt  with  in  any  real-world  system 
that  uses  public-key  encryption.  Rather,  this  assumption  is  made  because 
there  exist  other  mechanisms  for  preventing  active  attacks  (see,  for  example, 
Section  12.8),  and  it  is  therefore  convenient  (and  useful)  to  decouple  the  study 
of  secure  public-key  encryption  from  the  study  of  secure  key  distribution. 


10.2  Definitions 

We  begin  by  defining  the  syntax  of  public-key  encryption.  The  definition 
is  very  similar  to  Definition  3.7,  with  the  exception  that  instead  of  working 
with  a single  key,  distinct  encryption  and  decryption  keys  are  defined. 

DEFINITION  10.1  A public-key  encryption  scheme  is  a tuple  of  proba- 
bilistic polynomial-time  algorithms  (Gen,  Enc,  Dec)  such  that: 

1.  The  key  generation  algorithm  Gen  takes  as  input  the  security  parameter 

and  outputs  a pair  of  keys  (pk,sk).  We  refer  to  the  first  of  these 
as  the  public  key  and  the  second  as  the  private  key.  We  assume  for 
convenience  that  pk  and  sk  each  have  length  at  least  n,  and  that  n can 
be  determined  from  pk,sk. 

2.  The  encryption  algorithm  Enc  takes  as  input  a public  key  pk  and  a mes- 
sage m from  some  underlying  plaintext  space  (that  may  depend  on  pk). 
It  outputs  a ciphertext  c,  and  we  write  this  as  c ^ Encpfe(m). 


^In  our  “shouting-across-a-room”  scenario,  Alice  and  Bob  can  detect  when  an  adversary 
interferes  with  the  communication.  But  this  is  only  because:  (1)  the  adversary  cannot 
prevent  Alice’s  messages  from  reaching  Bob,  and  (2)  Alice  and  Bob  “share”  in  advance 
certain  information  (e.g.,  the  sound  of  their  voices  or  the  way  they  look)  that  allows  them 
to  “authenticate”  their  communication. 

* 
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3.  The  decryption  algorithm  Dec  takes  as  input  a private  key  sk  and  a ci- 
phertext c,  and  outputs  a message  m or  a special  symbol  ± denoting 
failure.  We  assume  without  loss  of  generality  that  Dec  is  deterministic, 
and  write  this  as  m :=  DeCsfe(c). 

It  is  required  that 

Pr  [DeCsfe(EnCpfe(m))  = m] 

except  with  possibly  negligible  probability  over  (sk,pk)  output  by  Gen(l”)  and 
any  randomness  used  by  Enc. 

In  terms  of  the  syntax  of  the  definition,  the  important  distinction  from  the 
private-key  setting  is  that  the  key-generation  algorithm  Gen  now  outputs  two 
keys  rather  than  one.  (Moreover,  we  can  no  longer  simply  assume  that  pk  is 
just  a random  n-bit  string.)  The  public  key  pk  is  used  for  encryption,  while 
the  private  key  sk  is  used  for  decryption.  Reiterating  our  earlier  discussion, 
pk  is  assumed  to  be  widely  distributed  so  that  anyone  can  encrypt  messages 
for  the  party  who  has  generated  this  key,  but  sk  must  be  kept  private  by  the 
receiver  in  order  for  security  to  possibly  hold. 

Note  that  we  allow  a negligible  decryption  error  and,  indeed,  the  concrete 
schemes  that  we  will  present  can  have  a negligible  error  (e.g.,  if  a prime  needs 
to  be  chosen  but  with  negligible  probability  a composite  is  obtained  instead). 
Despite  this,  we  will  typically  ignore  this  issue  frorn  here  on. 

For  practical  usage  of  public-key  encryption,  we  will  want  the  plaintext 
space  to  be  {0,1}”^  or  {0,1}*  (and,  in  particular,  to  be  independent  of  the 
public  key).  Although  we  will  sometimes  describe  encryption  schemes  using 
some  message  space  Ad  that  does  not  contain  all  bit-strings  of  some  fixed 
length  (and  that  may  also  depend  on  the  public  key),  we  will  in  such  cases 
also  specify  how  to  encode  bit-strings  as  elements  of  A4.  This  encoding  must 
be  both  efficient  and  efficiently  reversible,  so  the  receiver  can  recover  the  bit- 
string that  was  encrypted. 


Example  10.2 

Say  an  encryption  scheme  has  message  space  where  N is  an  n-bit  integer 
that  is  included  in  the  public  key.  We  can  encode  strings  of  length  n ^ 1 
as  elements  of  in  the  natural  way,  by  interpreting  any  such  string  as  an 
integer  strictly  less  than  N . This  encoding  is  efficient  and  easily  reversible.  0 


10.2.1  Security  against  Chosen-Plaintext  Attacks 

We  begin  our  treatment  of  security  notions  by  introducing  the  “natural” 
counterpart  of  Definition  3.8  in  the  public-key  setting.  Since  extensive  moti- 
vation for  this  definition  (as  well  as  the  others  we  will  see)  has  already  been 
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given  in  Chapter  3,  the  discussion  here  will  be  relatively  brief  and  will  focus 
primarily  on  the  differences  between  the  private-key  and  public -key  settings. 

Given  a public-key  encryption  scheme  II  = (Gen,  Enc,  Dec)  and  an  adversary 
A,  consider  the  following  experiment: 

The  eavesdropping  indistihguishability  experimeiit  PubK^)'n(n): 

1.  Gen(l^)  is  run  to  obtain  keys  (pk,sk). 

2.  Adversary  A is  given  pk,  and  outputs  a pair  of  messages 
mo,  mi  of  the  same  length.  (These  messages  must  he  in  the 
plaintext  space  associated  with  pk.) 

3.  A random  hit  h {0,1}  is  chosen,  and. then  a ciphertext 
c <—  Encpk{mb)  is  computed  and  given  to  A.  We  call  c the 

challenge  ciphertext. 

4.  A outputs  a hit  h' . 

5.  The  output  of  the  experiment  is  defined  to  be  1 ifb'=  b,  and 
0 otherwise. 

DEFINITION  10.3  A public-key  encryption  scheme  II  = (Gen,  Enc,  Dec) 
has  indistinguishable  encryptions  in  the  presence  of  an  eavesdropper  if  for  all 
probabilistic  polynomial-time  adversaries  A there  exists  a negligible  function 
negl  such  that 

Pr[PubK^)'n(^)  = 1]  < ^ + negl(n). 

The  main  difference  between  the  above  definition  and  Definition  3.8  is  that 
here  A is  given  the  public  key  pk.  Furthermore,  we  allow  A to  choose  its 
messages  mo  and  mi  based  on  this  public  key.  This  is  essential  when  defining 
security  of  public-key  encryption  since,  as  discussed  previously,  we  are  forced 
to  assume  that  an  adversary  eavesdropping  on  the  communication  between 
two  parties  in  the  public- key  setting  knows  the  public  key  of  the  recipient. 

The  seemingly  “minor”  modification  of  giving  the  adversary  A the  pub- 
lic key  pk  being  used  to  encrypt  the  message  has  a tremendous  impact:  it 
effectively  gives  A access  to  an  encryption  oracle  for  free.  (The  concept 
of  an  encryption  oracle  is  explained  in  Section  3.5.)  This  is  the  case  be- 
cause the  adversary,  given  pk,  can  now  encrypt  any  message  m on  its  own 
simply  by  computing  Encp/c(m)  using  honestly-generated  random  coins.  (As 
always,  A is  assumed  to  know  the  algorithm  Enc.)  The  upshot  is  that  Defi- 
nition 10.3  is  equivalent  to  security  against  chosen-plaintext  attacks,  defined 
in  a manner  analogous  to  Definition  3.21.  Specifically,  consider  the  following 
experiment  defined  for  public-key  encryption  scheme  II  = (Gen,  Enc,  Dec)  and 
adversary  A: 
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The  CPA  indistinguishability  experiment  PubK^^j^(n): 

1.  Gen(l”)  is  run  to  obtain  keys  (pk,sk). 

2.  Adversary  A is  given  pk  as  well  as  oracle  access  to  Encpfc(’)- 
The  adversary  outputs  a pair  of  messages  mo,  mi  of  the  same 
length.  (These  messages  must  be  in  the  plaintext  space  asso- 
ciated with  pk.) 

3.  A random  bit  b <—  {0,1}  is  chosen,  and  then  a ciphertext 
c <—  Encpfc(^6)  is  computed  and  given  to  A.  We  call  c the 
challenge  ciphertext. 

4.  A continues  to  have  access  to  Encpfc(-);  and  outputs  a bit  b' . 

5.  The  output  of  the  experiment  is  defined  to  be  1 if  b'  = b,  and 
0 otherwise. 

DEFINITION  10.4  A public-key  encryption  scheme  II  = (Gen,  Enc,  Dec) 
has  indistinguishable  encryptions  under  a chosen- plaintext  attack  (or  is  CPA 
secure ) if  for  all  probabilistic  polynomial-time  adversaries  A there  exists  a 
negligible  function  negl  such  that: 

‘ Pr[PubK3^^jj(n)  = 1]  < i + negl(n). 

Summarizing  what  we  have  said  above,  the  encryption  oracle  is  unnecessary 
since  A can  encrypt  messages  by  itself  using  pk.  Thus: 

PROPOSITION  10.5  If  a public-key  encryption  scheme  II  has  indistin- 
guishable encryptions  in  the  presence  of  an  eavesdropper,  then  II  also  has 
indistinguishable  encryptions  under  a chosen-plaintext  attack. 

This  is  in  contrast  to  the  private-key  setting,  where  there  exist  schemes  that 
have  indistinguishable  encryptions  in  the  presence  of  an  eavesdropper  but  are 
insecure  under  a chosen-plaintext  attack  (see  Propositions  3.19  and  3.22).  Fur- 
ther differences  from  the  private-key  setting  that  follow  almost  immediately 
as  consequences  of  the  above  are  discussed  next. 

Impossibility  of  Perfectly- Secret  Public-Key  Encryption 

Perfectly- secret  public-key  encryption  could  be  defined  analogously  to  Def- 
inition 2.1  by  conditioning  over  the  entire  view  of  an  eavesdropper  (i.e.,  in- 
cluding the  public  key).  Equivalently,  it  could  be  defined  by  extending  Defi- 
nition 10.3  to  require  that  for  all  adversaries  A 
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In  contrast  to  the  private-key  setting,  perfectly-secret  public-key  encryption  is 
impossible,  regardless  of  how  long  the  keys  are  and  how  short  the  message  is. 
In  fact,  given  pk  and  a ciphertext  c computed  via  c Encpfc(^),  it  is  possible 
for  an  unbounded  adversary  to  determine  the  message  m with  probability  1. 
A demonstration  of  this  is  left  as  an  exercise. 


Insecurity  of  Deterministic  Public-Key  Encryption 

As  noted  in  the  context  of  private-key  encryption,  no  deterministic  encryp- 
tion scheme  can  be  CPA-secure.  Due  to  the  equivalence  between  CPA-security 
and  indistinguishability  of  encryptions  in  the  presence  of  an  eavesdropper  in 
the  public-key  setting,  we  conclude  that: 


THEOREM  10.6  No  deterministic  public-key  encryption  scheme  has  in- 
distinguishable encryptions  in  the  presence  of  an  eavesdropper. 

Because  Theorem  10.6  is  so  important,  it  merits  a bit  more  discussion. 
The  theorem  is  not  a mere  “artifact”  of  our  security  definition,  or  an  indica- 
tion that  Definition  10.3  is  too  strong.  Deterministic  public-key  encryption 
schemes  are  vulnerable  to  practical  attacks  in  realistic  scenarios,  and  should 
never  be  used.  The  reason  is  that  a deterministic  scheme  not  only  allows 
the  adversary  to  determine  when  the  same  message  is  sent  twice  (as  in  the 
private-key  setting),  but  also  allows  the  adversary  to  recover  the  message, 
with  probability  1,  as  long  as  the  set  of  possible  messages  being  encrypted  is 
small.  (See  Exercise  10.2.)  For  example,  consider  a professor  encrypting  the 
final  grade  of  a student.  Here,  an  eavesdropper  knows  that  the  student’s  grade 
must  be  one  of  {A,  B,  (7,  D,  E}.  If  the  professor  uses  a deterministic  public- 
key  encryption  scheme,  an  eavesdropper  can  quickly  determine  the  student’s 
actual  grade  by  encrypting  all  possible  grades  and  comparing  the  result  to  the 
given  ciphertext. 

Although  the  above  theorem  seems  deceptively  simple,  for  a long  time  many 
real-world  systems  were  designed  using  deterministic  public-key  encryption. 
When  public-key  encryption  was  introduced  it  is  fair  to  say  that  the  impor- 
tance of  probabilistic  encryption  was  not  yet  fully  realized-  The  seminal  work 
of  Goldwasser  and  Micali,  in  which  (something  equivalent  to)  Definition  10.3 
was  proposed  and  Theorem  10.6  was  proved,  marked  a turning  point  in  the 
field  of  cryptography.  The  importance  of  pinning  down  one’s  intuition  in  a 
formal  definition,  and  looking  at  things  the  right  way  for  the  first  time  — 
even  if  seemingly  simple  in  retrospect  — should  not  be  underestimated. 

10.2.2  Multiple  Encryptions 

As  in  Chapter  3,  it  is  important  to  understand  the  effect  of  using  the  same 
key  (in  this  case,  the  same  public  key)  for  encrypting  multiple  messages. 
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We  define  security  in  such  a setting  via  an  extension  of  the  definition  of 
eavesdropping  security  (Definition  10.3),  though  it  should  be  clear  from  the 
discussion  in  the  previous  section  that  the  definition  we  give  is  automatically 
equivalent  to  a definition  in  which  chosen- plaintext  attacks  are  also  allowed. 
We  then  prove  that  any  scheme  having  indistinguishable  encryptions  in  the 
presence  of  an  eavesdropper  is  automatically  secure  even  when  used  to  encrypt 
multiple  messages.  This  means  that  we  can  prove  security  with  respect  to  the 
former  definition,  which  is  simpler  and  easier  to  work  with,  and  conclude 
that  the  scheme  satisfies  the  latter  definition,  which  more  accurately  models 
adversarial  attacks. 

An  analogous  result  in  the  private-key  setting  was  stated,  but  not  proved, 
as  Proposition  3.22.  That  claim  refers  to  security  under  a chosen- plaintext 
attack,  but  as  we  have  seen  this  is  equivalent  to  eavesdropping  in  this  setting. 

Consider  the  following  experiment  defined  for  a public-key  encryption  scheme 
n = (Gen,  Enc,  Dec)  and  adversary  A: 

The  multiple  message  eavesdropping  experiment  PubK|^^n(n): 

1.  Gen(l”)  is  run  to  obtain  keys  (pk,sk). 

2.  Adversary  A is  given  pk,  and  outputs  a pair  of  vectors  of 

messages  Mq  = (^o>  • • • > ^o)  • • • ) ^i)  such 

that  |mo|  = |mi|  for  all  i.  (All  messages  must  be  in  the 
plaintext  space  associated  with  pk .) 

3.  A random  bit  b G {0, 1}  is  chosen.  For  all  i,  the  ciphertext 
c*  Encpfc(mj,)  is  computed  and  the  vector  of  ciphertexts 
C — (c^, . . - ,c*)  is  given  to  A.  Adversary  A then  outputs  a 
bit  b' . 

■ 4-  The  output  of  the  experiment  is  defined  to  be  1 if  b'  = b,  and 
0 otherwise. 

DEFINITION  10.7  A public-key  encryption  scheme  II  = (Gen,  Enc,  Dec) 
has  indistinguishable  multiple  encryptions  in  the  presence  of  an  eavesdropper 
if  for  alt  probabilistic  polynomial-time  adversaries  A there  exists  a negligible 
function  negl  such  that: 

Pr[PubK^";^(n)  = 1]  < i negl(n). 

The  proof  that  the  above  definition  is  equivalent  to  Definition  10.3  is  not 
difficult,  though  it  is  a bit  technical.  We  therefore  provide  some  intuition 
before  giving  the  formal  proof.  For  this  discussion  we  deal  with  the  case 
that  t = 2 in  PubK^‘(n(n).  (In  general,  t can  be  arbitrary  and  may  even 
depend  on  n or  pk.)  Fix  an  arbitrary  PPT  adversary  A and  a public-key 
encryption  scheme  II  that  has  indistinguishable  encryptions  in  the  presence 
of  an  eavesdropper,  and  consider  experiment  PubK  with  t = 2.  In  this 
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experiment,  if  6 = 0 the  adversary  is  given  C — (EnCpfc(mQ),  Encpfc(mo))  while 
if  6 = 1 the  adversary  is  given  C = (Encpfc(m][),  EnCpfc(mf)). 

We  show  that  there  exists  a negligible  fimction  negl  such  that 

Pr[PubK^“;^(n)  = 1]  < i + negl(n). 

We  use  the  fact  that 

Pr[PubK^';'n(n)  = 1]  = i • Pr[^(EnCpfc(mJ),  Encpfc(m§))  = 0] 

+ i • Pr[^(EnCpfc(mi),  Encpfc(mi))  = 1], 

where  the  equality  follows  by  conditioning  on  the  two  possible  values  of  h. 

Consider  what  would  happen  if  A were  given  (EnCpfc(mQ),  Encpfc(mf));  i.e., 
a pair  of  ciphertexts  where  the  first  is  an  encryption  from  Mo  and  the  second 
is  an  encryption  from  M\.  Although  this  does  not  correspond  to  anything 
that  can  happen  in  experiment  PubK^^'^n(n),  the  probability  that  A outputs  0 
when  given  two  ciphertexts  computed  in  this  way  is  still  well-defined.  We 
claim: 


CLAIM  10.8  There  exists  a negligible  function  negl  such  that 
1 1 

- -h  negl(n)  > - • Pr[^(EnCpfc(mJ),  Encpfc(mo))  = 0] 

-I-  i • Pr[^(EnCpfc(m^),  EnCpfc(mJ))  = 1]- 

PROOF  To  prove  the  claim,  construct  the  following  ppt  adversary  A'  that 
eavesdrops  on  the  encryption  of  a single  message. 

Adversary  A': 

1.  A' , given  pfc,  runs  A{pk)  to  obtain  two  vectors  of  messages 
Mq  = (mQ,mo)  and  Mi  — {m\,mi). 

2.  A'  outputs  a pair  of  messages  (rug,  ),  and  is  given  in  return 
a ciphertext  c^. 

3.  A'  computes  •*—  Encpfc(mo);  runs  A{c^,c^)',  and  outputs 
the  bit  b'  that  is  output  by  A. 

If  we  look  at  the  experiment  PubK^,''  n(n),  we  see  that  when  6 = 0 adversary 
A'  is  given  Encpfc(mo).  Furthermore, 

Pr[A'(EnCpfc(mJ))  = 0]  = Pr[A(EnCpfc(mJ),  Encpfc(mo))  = 0]. 
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In  contrast,  when  6 = 1 in  experiment  PubK^/''n(n),  adversary  A'  is  given 
EnCpfc(mi).  Furthermore, 

Pr[^'(EnCpfe(mi))  = 1]  = Pr[^(EnCpfc(mJ),  EnCpfc(mf ))  = 1]. 

By  the  security  of  II  (in  the  sense  of  single-message  indistinguishability), 
there  exists  a negligible  function  negl  such  that 

i + negl(n)  > Pr[PubK3|Xn(n)  =1] 

= i • PT[A'{EnCpUmD)  = 0]  + ^ • PrK(Enc,fc(mf ))  = 1] 

= i ■ Pr[^(EnCpfc(mo),EnCpfc(m^))  = 0] 

+ i • Pr[^(EnCpfc(mJ),  EnCpfc(mi))  = 1], 
completing  the  proof  of  the  claim.  | 

By  a very  similar  argument,  one  can  also  prove: 

CLAIM  10.9  There  exists  a negligible  function  negl  such  that 
i + negl(n)  > ^ • Pr[^(EnCpfc(mJ),  EnCpfc(mi))  = 0] 

+ ^ • Pr[^(EnCpfc(m}),  EnCpfc(mi))  = 1]. 

Summing  the  expressions  in  these  two  claims  and  using  the  fact  that  the  sum 
of  two  negligible  functions  is  negligible,  we  see  that  there  existg  a negligible 
function  negl  such  that: 

1 + negl(n)  > i • Pr[^(EnCpfc(mq),  EnCpfc(mo))  = 0] 

+ i • (^Pr[^(EnCpjfc(mJ),EnCpfc(mf))  = 1] 

+ Pr[^(EnCpfc(mJ),  EnCpfc(mf))  = 0]^ 

+ i • Pr[^(EnCpfc(mj),  Encpfc(mi))  = 1] 

1 1 
= - • Pr[^(EnCpfc(mJ),  EnCpfc(mo))  = 0]  + 2 

+ i • Pr[^(EnCpfc(mJ),  Encpfc(m?))  = 1] 

= i+Pr[PubKXS(n)  = l], 
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implying  that 

Pr[PubK[^“i^(n)  = 1]  < i + negl(n) 

as  desired.  This  completes  the  proof  of  equivalence  for  the  case  t — 2. 

The  main  complication  that  arises  in  the  general  case  is  that  t is  no  longer 
fixed  but  may  instead  depend  on  n.  The  formal  proof  of  the  theorem  that 
follows  serves  as  a good  illustration  of  the  hybrid  argument  which  is  used 
extensively  in  the  analysis  of  more  complex  cryptographic  schemes;  on  a first 
reading,  though,  the  reader  may  want  to  skip  the  proof. 

THEOREAI  10.10  If  a public-key  encryption  scheme  II  has  indistinguish- 
able encryptions  in  the  presence  of  an  eavesdropper , then  II  has  indistinguish- 
able multiple  encryptions  in  the  presence  of  an  eavesdropper. 

PROOF  Fix  an  arbitrary  ppt  adversary  A,  and  consider  experiment 
PubK[^“n(n).  Let  t = t{n)  be  an  upper-bound  on  the  number  of  messages 
in  each  of  the  two  vectors  output  by  A,  and  assume  without  loss  of  generality 
that  A always  outputs  vectors  containing  exactly  this  many  messages.  (That 
this  is  indeed  without  loss  of  generality  is  left  as  an  exercise.)  For  a given 
public  key  pk  and  vectors  Mo  = (mg, . - . , mg)  and  Mi  = {nri\, . . . , mi)  output 
by  >4.,  define 

(Encpfc(mj), . . . , Encpfc(mg),  EnCpfe(mi+^), . • • > EnCpfc(mi)) 

' ' s_ ^ / 

i terms  t — i terms 

for  0 < i < t.  We  stress  that  the  above  encryptions  are  always  performed  using 
independent  random^ coins,  and  so  the  above  actually  represents  a distribution 
over  vectors  containing  t ciphertexts.  Using  this  notation,  we  have 

Pr[PubK[^';|^(n)  = 1]  = ^ • Pr[^(C^*))  = 0]  -b  ^ • Pr[^(C^°))  = 1].  (10.1) 

Consider  the  following  ppt  adversary  A'  that  eavesdrops  on  the  encryption 
of  a single  message. 

Adversary  A'\ 

1.  A' , given  pk,  runs  A{pk)  to  obtain  two  vectors  of  messages 
Mg  = (mg, . . . , mg)  and  Mi  = (mj, . . . , m\),  with  t = t{n). 

2.  A'  chooses  a random  index  i {1, . . . , and  outputs  the 
pair  of  messages  mg,  m^.  A'  is  given  in  return  a ciphertext  c^. 

3.  For  j < i,  A'  computes  <—  Encpfc(mg).  For  j > i,  A' 
computes  ^ Encpfc(mj).  Then  A'  runs  A(c^,...,c*)  and 
outputs  the  bit  b'  that  is  output  by 
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Intuitively,  we  view  A'  as  “guessing”  an  index  i € for  which  A 

distinguishes  between  and  This  is  because  the  zth  element  in  the 

vector  (c^, . . . ,c*)  given  to  A is  c^,  the  challenge  ciphertext  oi  A' . Thus,  if  A 
distinguishes  between  and  this  means  that  it  actually  distinguishes 

between  an  encryption  of  tUq  and  an  encryption  of  m\  (because  this  is  the 
only  difference  between  and  This  is  the  core  idea  of  the  proof 

below. 

In  experiment  PubK^/''n(n),  when  6 = 0 and  i = i*,  adversary  A'  is  given 
EnCpfc(mo  ) and  A is  run  on  input  distributed  according  to  h So, 


Pr[^'  outputs  0 I 6 = 0]  = Pr[^'  outputs  0 | 6 = 0 A z = z*]  • Pr[z  = P 

i*  =1 

= ^ipr[.4(C<‘’))  = 01. 


i*=l 


On  the  other  hand,  when  6 = 1 and  z = z*  in  experiment  PubK^7jj(n), 
adversary  A'  is  given  Encpfc(mi  ) and  A is  run  on  input  distributed  according 
to  So, 

t 

Pr[.A'  outputs  1 I 6 = 1]  = Pr[.A'  outputs  1 | 6 = 1 A z = z*]  • Pr[z  = z*] 

= ^l.pr[^(C(**))  = l], 

z*=0  ^ 

(where  the  third  equality  is  just  by  shifting  the  indices  of  the  summation). 

By  assumption,  II  has  indistinguishable  encryptions  in  the  presence  of  an 
eavesdropper,  and  so  there  exists  a negligible  function  negl  such  that: 


- + negl(rz)  > PrfPubK^/nt^)  = 1] 


= ^ Pr[^'  outputs  0 I 6 = 0]  + i Pr[>i'  outputs  1 | 6 = 1] 
= E ^ • Pr[-4(C<*'))  = 0]  + ^ ■ Pr[.4(C<'*))  = 1] 

i*  — l z*=0 

= ^ • E (Pr(.4(C«'))  =0|  + PrM(C'<’>)  = Ij) 

i*==l 

+ 4 ■ (Pr|.4(C<*))  = 0]  + Pr(.4(C<°>)  = 1|) 


^ + i-Pr(PubK-''W  = l], 
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where  the  last  equality  uses  Equation  (10.1).  Simple  algebra  shows  that  this 
implies 

^ +t(n)  • negl(n)  > Pr[PubK;^^n(n)  = 1]. 

Because  t is  polynomial,  the  function  t{n)  ■ negl(n)  is  also  negligible.  Since  A 
is  an  arbitrary  PPT  adversary,  this  completes  the  proof  that  II  has  indistin- 
guishable multiple  encryptions  in  the  presence  of  an  eavesdropper.  | 


Encrypting  Arbitrary-Length  Messages 

An  immediate  consequence  of  the  above  result  is  that  given  any  public- 
key  encryption  scheme  for  fixed-length  messages  that  has  indistinguishable 
encryptions  in  the  presence  of  an  eavesdropper,  we  can  obtain  a public-key 
encryption  scheme  for  arbitrary-length  messages  satisfying  the  same  notion 
of  security.  We  illustrate  this  in  the  extreme  case  when  the  original  scheme 
encrypts  only  1-bit  messages.  Say  II  = (Gen,  Enc,  Dec)  is  an  encryption  scheme 
where  the  plaintext  space  is  {0,1}.  We  can  construct  a new  scheme  II'  = 
(Gen,  Enc^,  Dec^)  with  plaintext  space  (0, 1}*  by  defining  Enc^  as  follows: 

EnCpfc(m)  = Encpfc(mi),  • • • , EnCpfc(mt),  (10.2) 

where  m = The  decryption  algorithm  Dec'  is  modified  in  the 

obvious  way.  We  have: 


PROPOSITION  10.11  Let  II  and  II'  be  as  above.  If  II  has  indistin- 
guishable encryptions  in  the  presence  of  an  eavesdropper,  then  so  does  II'. 

Proposition  10.11  is  true  when  II  has  indistinguishable  encryptions  in  the 
presence  of  an  eavesdropper  (and,  by  extension,  when  II  is  CPA-secure), 
but  an  analogous  result  is  not  true  for  the  case  of  security  against  chosen- 
ciphertext  attacks.  See  Section  10.6  and  Exercise  10.13. 

A note  on  terminology.  We  have  shown  that  in  the  public-key  setting  any 
scheme  having  indistinguishable  encryptions  in  the  presence  of  an  eavesdrop- 
per is  also  CPA-secure.  This  means  that  once  we  prove  a scheme  secure  with 
respect  to  the  former  (relatively  weak)  definition  we  obtain  as  an  immediate 
consequence  security  with  respect  to  the  latter  (more  realistic)  definition.  We 
will  therefore  refer  to  schemes  as  being  “CPA-secure”  in  our  discussion  and 
theorem  statements,  but  in  our  proofs  we  will  work  exclusively  with  the  notion 
of  indistinguishable  encryptions  in  the  presence  of  an  eavesdropper. 
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10.3  Hybrid  Encryption 

Proposition  10.11  shows  that  any  CPA- secure  public-key  encryption  scheme 
for  1-bit  messages  can  be  used  to  obtain  a CPA-secure  encryption  scheme  for 
messages  of  arbitrarily  length.  Encrypting  a t-bit  message  using  this  approach 
requires  t invocations  of  the  original  encryption  scheme,  meaning  that  both  the 
computation  and  the  ciphertext  length  are  increased  by  a multiplicative  factor 
of  t relative  to  the  underlying  scheme.  (Of  course,  if  the  original  scheme  can 
encrypt  strings  of  length  n,  then  only  \t/n\  invocations  are  needed.  However, 
for  long  messages  this  is  still  unreasonable.) 

It  is  possible  to  do  significantly  better,  for  messages  that  are  sufficiently 
long,  by  using  private- key  encryption  in  tandem  with  public-key  encryption. 
This  improves  efficiency  because  private-key  encryption  is  significantly  more 
efficient  than  public-key  encryption.  The  resulting  combination  is  called  hy- 
brid encryption  and  is  used  extensively  in  practice.  The  basic  idea  is  to  break 
encryption  into  two  steps.  To  encrypt  a message  m (see  Figure  10.1): 

1.  The  sender  first  chooses  a random  secret  key  k,  and  encrypts  k using  the 
public  key  of  the  receiver.  Call  the  resulting  ciphertext  c\ . The  receiver 
will  be  able  to  recover  k by  decrypting  ci,  yet  k will  remain  unknown  to 
an  eavesdropper  (by  security  of  the  public-key  encryption  scheme),  and 
so  this  has  the  effect  of  establishing  a shared  secret  between  the  sender 
and  the  receiver. 

2.  The  sender  then  encrypts  the  message  m using  a private-key  encryption 
scheme  (Gen^,  Enc^,  Dec^)  and  the  secret  key  k that  has  just  been  shared. 
This  results  in  a ciphertext  C2  that  can  be  decrypted  by  the  receiver 
using  k. 


k m 


FIGURE  10.1:  Hybrid  encryption. 


The  above  two  steps  can  be  performed  in  “one  shot”  by  having  the  sender 
transmit  the  ciphertext  (ci,C2),  to  the  receiver.  We  stress  that  although 
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private-key  encryption  is  used  as  a component  of  the  construction,  the  above 
constitutes  a public-key  encryption  scheme  by  virtue  of  the  fact  that  the 
sender  and  receiver  do  not  share  any  secret  key  in  advance. 

Construction  10.12  gives  a formal  description  of  the  (public-key)  hybrid 
encryption  scheme  based  on  any  public-key  encryption  scheme  II  and 
private-key  encryption  scheme  II'  (recall  that  we  assume  that  the  key  gen- 
eration algorithm  Gen^  for  II'  just  outputs  a uniformly  distributed  key  of 
length  n).  The  construction  assumes  that  II  includes  {0,1}'^  in  the  underly- 
ing plaintext  space  so  that  a secret  key  k G {0, 1}'^  can  be  encrypted.  The 
plaintext  space  for  II  is  identical  to  the  plaintext  space  of  II',  and  for  sim- 
plicity we  assume  this  to  be  {0, 1}*. 


CONSTRUCTION  10.12 

Let  n = (Gen,  Enc,  Dec)  be  a public-key  encryption  scheme,  and  let 
n'  = (Gen',  Enc',  Dec')  be  a private-key  encryption  scheme.  Construct  a 
public-key  encryption  scheme  = (Gen^^,  Enc^^,  Dec^^)  as  follows: 

• Gen^^:  on  input  1”  run  Gen(l’^)  and  use  the  public  and  private 
keys  (pfc,  sk)  that  are  output. 

• Enc^^:  on  input  a public  key  pk  and  a message  m e {0, 1}*,  pro- 
ceed as  follows: 

1.  Choose  a random  k •<—  {0, 1}"^  (recall  that,  by  convention,  n 
can  be  determined  from  pk). 

2.  Compute  ci  -i—  Encpfc(fc)  and  C2v^  Enc^(m). 

3.  Output  the  ciphertext  (ci,C2). 

• Dec^^:  on  input  a private  key  sk  and  a ciphertext  (ci,C2)  proceed 
as  follows: 

1.  Compute  k :=  Dec5fc(ci). 

2.  Output  the  message  m :=  Dec^(c2). 

Hybrid  encryption. 

What  is  the  efficiency  of  hybrid  encryption  relative  to  the  approach  (as  in 
Equation  (10.2))  of  using  Enc  to  encrypt  bit-by-bit  or  block-by-block?  First 
observe  that  hybrid  encryption  can  only  possibly  give  a performance  improve- 
ment when  \m\  > n;  otherwise,  instead  of  encrypting  k using  Enc  we  may  as 
well  just  encrypt  m itself.  When  \m\  n,  though,  hybrid  encryption  gives 
a substantial  efficiency  improvement  assuming  Enc'  is  more  efficient  (per  bit) 
that  Enc.  In  detail,  for  some  fixed  value  of  n let  a denote  the  cost  of  encrypt- 
ing an  n-bit  key  using  Enc,  and  let  (3  denote  the  cost  (per  bit  of  plaintext) 
of  encryption  using  Enc'.  Then  the  cost,  per  bit  of  plaintext,  of  encrypting  a 
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t-hit  message  using  11'^^  is 


CM.  (3  ' t 
t 


(10.3) 


which  approaches  (3  t gets  large.  In  the  limit  of  very  long  messages,  then, 
the  cost  per  bit  incurred  by  the  public-key  encryption  scheme  11'^^  is  the  same 
as  the  cost  per  bit  incurred  by  the  private-key  scheme  II'.  Hybrid  encryption 
thus  allows  us  to  achieve  the  functionality  of  public-key  encryption  at  the 
efficiency  of  private-key  encryption,  at  least  for  sufficiently  long  messages, 

A similar  calculation  can  be  used  to  gauge  the  effect  of  hybrid  encryption 
on  the  ciphertext  length.  For  a fixed  value  of  n,  let  £ denote  the  length  of 
the  encryption  of  an  n-bit  key  using  Enc,  and  say  the  private-key  encryption 
of  a message  m using  Enc'  results  in  a ciphertext  of  length  n -|-  |m|  (this  can 
be  achieved  using  one  of  the  modes  of  encryption  discussed  in  Section  3.6.4; 
actually,  even  ciphertext  length  \m\  is  possible  since,  as  we  will  see,  H'  need 
not  be  CPA-secure).  Then  the  total  length  of  a ciphertext  in  scheme  H^^^  is 


£ 3-  n 3-  \m  . 


(10.4) 


When  using  the  approach  of  Equation  (10.2)  to  encrypt  n-bit  blocks,  the 
resulting  ciphertext  has  length  £•  [|m|/n],  so  the  above  is  an  improvement 
for  m sufficiently  long. 

We  can  use  some  rough  estimates  to  get  a sense  for  what  the  above  results 
mean  in  practice.  (We  stress  that  these  numbers  are  only  meant  to  give  the 
reader  a feel  for  the  improvement,  while  actual  numbers  would  depend  on 
a variety  of  factors.)  A typical  value  for  the  length  n of  the  (symmetric) 
key  k might  be  n w 100.  Furthermore,  a ppb lie-key  encryption  scheme  might 
encrypt  up  to  1000  bits  in  a single  invocation,  yielding  a ciphertext  at  least 
twice  as  long.  (More  precisely,  the  ciphertext  length  in  this  case  for  a message 
of  length  t would  be  2000  • [t/1000]  ~ 2t  for  large  t.)  Letting  a,  as  before, 
denote  the  cost  of  public-key  encryption  of  a 100-bit  key,  we  see  that  the 
approach  of  Equation  (10.2)  would  encrypt  a 1MB  (—  10®-bit)  message  with 
computational  cost  ^ a • 10®/ 10^  = 10^0;  and  the  ciphertext  would  be  2MB 
long.  Compare  this  to  the  efficiency  of  hybrid  encryption.  Letting  /3,  as 
before,  denote  the  per-bit  computational  cost  of  private-key  encryption,  a 
reasonable  approximation  is  P ^ a/10®.  Using  Equation  (10.3),  we  see  that 
the  computational  cost  of  hybrid  encryption  for  a 1Mb  message  would  be 


10® 


/a  a \ 
V106  106/ 


= 2a , 


and  the  ciphertext  would  be  only  slightly  longer  than  1MB.  Thus,  hybrid 
encryption  improves  the  computational  efficiency  in  this  case  by  a factor 
of  500(!),  and  the  ciphertext  length  by  a factor  of  2. 
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It  remains  to  analyze  the  security  of  In  the  theorem  that  follows,  we 

show  that  the  composite  scheme  11’^^  is  CPA-secure  as  long  as  the  original 

public- key  encryption  scheme  II  is  CPA-secure  and  the  private-key  scheme  II' 

has  indistinguishable  encryptions  in  the  presence  of  an  eavesdropper.  Notice 

that  it  suffices  for  II'  to  satisfy  a weaker  definition  of  security  — which,  recall, 

does  not  imply  CPA-security  in  the  private-key  setting  — in  order  for  the 

hybrid  scheme  fl*^^  to  be  CPA-secure.  Intuitively,  the  reason  is  that  the  secret 

key  k used  during  the  course  of  encryption  is  chosen  freshly  and  completely 

at  random  each  time  a new  message  is  encrypted.  Since  each  key  k is  used 

only  once,  indistinguishability  of  a single  encryption  in  II'  suffices  for  security 

of  the  hybrid  scheme  11'^^.  (Hybrid  encryption  is  thus  one  application  where  a 

stream  cipher  may  be  used,  while  still  achieving  strong  security  guarantees.) 

Before  formally  proving  the  security  of  H'^^,  we  highlight  the  overall  in- 

(2 

tuition.  Let  the  notation  “X  = y”  denote,  intuitively,  the  fact  that  no 
polynomial-time  adversary  can  distinguish  between  X and  Y.  (This  con- 
cept is  treated  more  formally  in  Section  6.8,  though  we  do  not  rely  on  that 
section  here.)  For  example,  the  fact  that  H is  CPA-secure  means  that  for  any 
pair  of  messages  mo,  m\  output  by  a ppt  adversary  A we  have 

{pk,  Encpfc(mo))  = (pfc,  Encpfc(mi)) , 

where  pk  is  generated  by  Gen(l”).  That  is  to  say,  an  encryption  of  mg  cannot 
be  distinguished  (in  polynomial  time)  from  an  encryption  of  m\ , even  given  pk. 
Similarly,  the  fact  that  H'  has  indistinguishable  encryptions  in  the  presence 
of  an  eavesdropper  means  that  for  any  mo,  mi  output  by  A we  have 

EnCfc(mo)  = EnCfc(mi), 

where  k is  chosen  uniformly  at  random.  Now,  in  order  to  prove  CPA-security 
of  we  need  to  show  that 

(pk,  Encpk(k),  EnCfc(mo))  = (pk,  Encpk(k),  EnCfc(mi))  (10.5) 

for  mo,  mi  output  by  a PPT  adversary  A,  where  pk  is  output  by  Gen(l'^)  and 
the  key  k is  chosen  at  random  from  {0,1}”.  (Equation  (10.5)  suffices  for 
demonstrating  that  H^^^  has  indistinguishable  encryptions  in  the  presence  of 
an  eavesdropper,  and  by  Theorem  10.10  this  implies  that  H*^^  is  CPA-secure.) 
The  proof  proceeds  in  three  steps;  see  Figure  10.2.  First  we  prove  that 

(pk,  Ewcpk(k),  Enc|i,(mo))  = (pk,  EnCpA:(0”),  EnCfc(mo))  (10.6) 

by  CPA-security  of  H.  Indeed,  the  only  difference  between  the  left-  and  the 
right-hand  sides  is  the  switch  from  encrypting  k to  encrypting  an  all-0  string  of 
the  same  length,  in  both  cases  using  scheme  H.  But  security  of  H means  that 
this  change  is  not  noticeable  by  a PPT  adversary.  Furthermore,  this  holds 
even  if  k is  known  to  the  adversary,  and  so  the  fact  that  k is  used  also  to 
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(by  “transitivity”) 

{pk,EuCpk{k),  En4(mo))  ^ ^ {pk,EnCpk{k),  En4(mi)) 


(by  security  of  TI) 


(p/c,  Encpfc(0”),  En4(mo)) 


(by  security  of  11) 


(by  security  of  II') 


(pAi,  Encpfc(0”),  En4(mi)) 


FIGURE  10.2: 


High-level  structure  of  the  proof  of  Theorem  10.13  (the 
arrows  represent  indistinguishability ) . 


encrypt  mo  does  not  introduce  any  complications.  (In  contrast,  if  we  were  to 

try  to  prove  that  {jpk,  EnCpfc(A:),  Enc^(mo))  ^ {pk,  EnCpfc(A:),  Enc^(mi))  based 
on  the  security  of  H'  we  would  run  into  trouble,  since  indistinguishability  of 
Enc^(mo)  and  Enc^(mi)  only  holds  when  the  adversary  has  no  information 
about  k.  However,  if  k is  encrypted  using  H then  we  can  no  longer  claim  this. 
Of  course,  intuitively  EnCpfc(A:)  does  not  reveal  k,  but  this  is  exactly  what  we 
are  trying  to  prove.) 

Next,  we  prove  that 

(pk,  Encpfc(0”),  En4(mo))  = {pk,  EnCpfc(0""),  En4(mi))  (10.7) 

based  on  the  fact  that  H'  has  indistinguishable  encryptions  in  the  presence 
of  an  eavesdropper.  Indeed,  here  the  difference  is  between  encrypting  tuq 
and  mi,  in  both  cases  using  H'  and  a key  k chosen  uniformly  at  random. 
Furthermore,  no  other  information  about  k is  leaked  to  the  adversary,  and 
in  particular  no  information  can  be  leaked  by  EhCpfc(0”)  since  this  is  just  an 
encryption  of  the  all-0  string  (and  not  k itself). 

Exactly  as  in  the  case  of  Equation  (10.6),  we  can  also  show  that 

(pk,  Encpfc(0”),  En4(mi))  = (pk,  EnCpfc(/c),  En4(mi))  , (10.8) 

by  relying  again  on  the  CPA-security  of  H.  Equations  (10.6)— (10.8)  imply, 
by  transitivity,  the  desired  resiult  in  Equation  (10.5).  (We  do  not  prove  that 
transitivity  holds;  rather,  it  will.be  implicit  in  the  proof  we  give  below.) 

THEOREM  10.13  If  U is  a CPA-secure  public-key  encryption  scheme 
and  H'  is  a private-key  encryption  scheme  that  has  indistinguishable  encryp- 
tions in  the  presence  of  an  eavesdropper,  then  H^^^  as  in  Construction  10.12 
is  a CPA-secure  public-key  encryption  scheme. 

PROOF  Fix  an  arbitrary  ppt  adversary  , and  consider  experiment 
PubK^hy  jihy  (n).  (By  Theorem  10.10,  once  we  show  that  H^^^  has  indistih- 
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guishable  encryptions  in  the  presence  of  an  eavesdropper  we  can  conclude 
that  it  is  CPA-secure.)  Our  goal  is  to  prove  that  there  exists  a negligible 
function  negl  such  that 

Pr[PubK2h''y^n»y(^)  = 1]  < ^ + negl(n). 

As  previously,  we  will  use  the  fact  that 

Pr[PubK3H”,nH,(n)  = 1]  = ^ ■ Pr[.A'’''(EnCpi(*:),  En4(mo))  = 0]  (10.9) 

+ i ■Pr(.4'’''(EnCpfc(l:),En4(mi))  = IJ. 

Note  that  in  each  case,  the  probability  is  taken  over  randomly- generated  pk 
as  well  as  uniform  choice  of  k.  Furthermore,  is  also  given  the  public  key 
pk  but  this  is  left  implicit  for  better  readability. 

Consider  the  following  ppt  adversary  A\  that  eavesdrops  on  a message 
encrypted  using  public-key  scheme  II. 

Adversary  A\ : 

1.  A\,  given  pk,  chooses  random  k ^ {0,1}”  (recall  that,  by 
convention,  n can  be  determined  from  pk)  and  outputs  the 
pair  of  messages  k,  0”.  It  is  given  in  return  a ciphertext  C\. 

2.  Ai  runs  to  obtain  two  messages  mo,  mi. 

3.  A\  computes  C2  ^ Enc^(mo),  then  runs  A^'^{c\,C2)  and  out- 
puts the  bit  h'  that  is  output  by  A^^ . 

When  6 = 0 in  experiment  PubK^}  n(^)5  fhe  adversary  A\  is  given  a ci- 
phertext of  the  form  EnCpfe(A:)  where  k was  chosen  uniformly  at  random  by 
A\  in  the  first  step.  This  means  that  A^^  is  given  a ciphertext  of  the  form 
(ci,C2)  = (EnCpfe(A:),EnCfc(mo)),  for  a randomly-generated  p/c  and  uniform 
choice  of  fc.  So, 

r 

Pr[Ai  outputs  0 I 6 = 0]  = Pr[A'^y(EnCpfc(A:),  EnCfc(mo))  = 0]. 

On  the  other  hand,  when  6 = 1 in  experiment  PubK^}  jj(n),  adversary  Ai 
is  given  a ciphertext  of  the  form  EnCpfc(0”).  This  means  that  A^'^  is  given  a 
ciphertext  of  the  form  (EnCpfc(0”),  Enc^(mo)),  and  so 

Pr[Ai  outputs  1 I 6 = 1]  = Pr[A’^y(EnCpfc(0”),  Enc^(mo))  = 1]- 
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By  the  assumption  that  II  has  indistinguishable  encryptions  in  the  presence 
of  an  eavesdropper,  there  exists  a negligible  function  neglj  such  that; 

i + negli(n)  > PrfPubK^;' n(n)  = 1]  (10.10) 

1 1 
= - ’ Pr[^i  outputs  0 I 6 = 0]  + - • Pr[^i  outputs  1 | 6 = 1] 

= i • Pr[.4'’''(EnCpit(*:),  Enc'fc(mo))  = 0] 

+ i • Pr|.4'"'(EnCpt(0"),  En4(mo))  = 1). 

Next,  consider  the  following  ppt  adversary  A'  that  eavesdrops  on  a message 
encrypted  using  the  private-key  scheme  II'. 

Adversary  A': 

1.  A'{1^)  runs  Gen(l'^)  on  its  own  to  generate  keys  {pk,  sk). 

2.  A'  runs  A^^{pk)  to  obtain  two  messages  mo,  mi.  These  same 
messages  are  output  by  A',  and  it  is  given  in  return  a cipher- 
text  C2- 

3.  A'  computes  ci  EnCpfc(0”).  Then  A!  runs  A*^^(ci,C2)  and 
outputs  the  bit  b'  that  is  output  by  A^^ . 

When  6 = 0 in  experiment  PrivK^^n,  (n),  adversary  A'  is  given  a ciphertext 
of  the  form  Enc^(mo)  where  k is  chosen  at  random  (and  is  unknown  to  A'). 
This  means  that  A^^  is  given  a ciphertext  of  the  form  (EnCpfc(0'^),  Enc^(mo)) 
for  a randomly  generated  p/c  and  a randomly  chosen  k.  We  thus  have 

Pr[A'  outputs  0 I 6 = 0]  = Pr[A’^^(EnCpfc(0”),  Enc^(mo))  = 0]. 

On  the  other  hand,  when  6 = 1 in  experiment  PrivK^/ji7(n),  adversary  A'  is 
given  a ciphertext  of  the  form  Enc^(mi)  where  again  k is  chosen  at  random. 
This  means  that  is  given  a ciphertext  of  the  form  (EnCpfc(0'^),  Enc^(mi)) 
and  so 

Pr[A'  outputs  1 I 6 = 1]  = Pr[A'^y(EnCpfc(0”),  Enc^(mi))  = 1]. 

By  the  assumption  that  II'  has  indistinguishable  encryptions  in  the  presence 
of  an  eavesdropper,  there  exists  a negligible  function  negK  such  that; 

i -(-  negl'(n)  > PrfPrivK^/n'H  = 1]  (10.11) 

= i - Pr[A'  outputs  0 I 6 = 0]  -(-  i • Pr[A'  outputs  1 | 6 = 1] 

= i • Pr[A^y(EnCpfc(0'"),  EnCfc(mo))  = 0] 

+ \ ■ Pr[A^^(EnCpfc(0"),  EnCfc(mi))  = 1]. 
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We  will  next  show  something  that  is  exactly  analogous  to  Equation  (10.10) 
(and  so  the  reader  is  welcome  to  skip  directly  to  Equation  (10.12)).  Consider 
the  following  ppt  adversary  A2  that  eavesdrops  on  a message  encrypted  using 
public-key  scheme  II. 

Adversary  A2'- 

1.  A2,  given  pk,  chooses  random  k <—  {0, 1}”  and  outputs  the 
pair  of  messages  0”,  k (the  order  of  these  messages  has  been 
switched  relative  to  adversary  A\).  It  is  given  in  return  a 
ciphertext  c\. 

2.  A2  runs  Ai"^{pk)  to  obtain  two  messages  mo, mi.  A2  com- 
putes C2  EnCfc(mi).  Then  A2  runs  A^'^  {01,02)  and  outputs 
the  bit  b'  that  is  output  by  A^^. 

In  experiment  PubK^2,n(^)’  when  6 = 0 adversary  is  given  a ciphertext 
of  the  form  (ci,  C2)  = (EnCpfc(O^),  EnCfc(mi))  for  a randomly  generated  pk  and 
a uniformly  distributed  k.  Thus, 

Pt[A2  outputs  0 I 6 = 0]  = Pr[A'^y(EnCpfc(0”),  EnCfc(mi))  = 0]. 

On  the  other  hand,  when  6 = 1 in  experiment  PubK^2,n(^)j  adversary  A*'^  is 
given  a ciphertext  of  the  form  (EnCpfc(A:),  Enc^(mi)),  g,nd  so 

Pr[A.2  outputs  1 I 6 = 1]  = Pr[A’^y(EnCpfc(/c),  EnCfc(mi))  = 1]. 

Since  II  has  indistinguishable  encryptions  in  the  presence  of  an  eavesdrop- 
per, there  exists  a negligible  function  negl2  such  that: 

i -H  negl2(n)  > Pr[PubK%  n(^)  = 1]  (10.12) 

= - • Pr[^2  outputs  0 I 6 = 0]  -H  ^ • Pr[A2  outputs  1 | 6 = 1] 

= i ■ Pr[>''(EnCpfc(0"),  EncUm,))  = 0] 

+ i • Pr[.4''’'(EnCp(:(*;),  En4(mi))  = 1]. 

At  long  last,  we  come  to  the  conclusion  of  the  proof.  Summing  Equa- 
tions (10.10)-(10.12)  and  using  the  fact  that  the  sum  of  three  negligible  func- 
tions is  negligible,  we  see  there  exists  a negligible  function  negl  such  that: 

3 

- + negl(n)  > 

i ■ ( Pr[^''''(EnCpit(*:),  En4(mo))  = 0]  + Pr[.4'’>'(EnCpfc(0’*),  Enc*(mo))  = 1] 

+ Pr[.4'"'(EnCpt(0"),  En4(mo))  = 0]  + Pr[.4'’''(EnCpfc(0"),  EncUm,))  = 1] 
+ Pr|>>'(EnCpfc(0’*),En4(mi))  =0]  +Pr[^"''(EnCpfc(*;),  En4(mi))  = 1]),. 
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Note  that 

Pr[^^^(EnCpA;(0”),  Enc^(mo))  = 1]  + Pr[^^^(EnCpA:(0”),  Enc^(mo))  = 0]  = 1, 
since  the  probabilities  of  complementary  events  always  sum  to  1.  Similarly, 
Pr[^''y(EnCpfc(0”),  EnCfe(mi))  = 1]  + Pr[^'’y(EnCpfc(0”),  EnCfc(mi))  = 0]  = 1. 
So  we  see  that: 
i + negl(n)> 

i • (^Pr[^*’y(EnCpfc(A:),  En4(mo))  = 0]  + Pr[^‘’y(EnCpfc(A:),  En4(mi))  = 1]^  , 
which  is  exactly  what  we  wanted  to  prove  (cf.  Equation  (10.9)).  | 


The  above  theorem  justifies  a focus  on  public-key  encryption  schemes  that 
can  encrypt  messages  of  length  n,  the  security  parameter.  Of  course,  in  theory 
it  suffices  to  just  construct  schemes  that  encrypt  single-bit  messages  (since 
they  can  be  extended  to  encrypt  n-bit  messages  using  a bit-by-bit  approach 
as  in  Section  10.2.2).  However,  in  practice  we  want  more  efficient  schemes 
than  those  yielded  by  encrypting  each  bit  separately.  The  point  is  that  even 
when  taking  efficiency  into  account,  there  is  not  much  reason  to  worry  about 
encrypting  longer  messages  once  a scheme  can  encrypt  messages  of  length  n. 


10.4  RSA  Encryption 

Our  discussion  regarding  public-key  encryption  has  thus  far  been  rather 
abstract:  we  have  seen  how  to  encrypt  arbitrary-length  messages  using  any 
public-key  encryption  scheme,  but  we  still  have  no  concrete  examples  of  any 
such  schemes!  In  this  section,  we  focus  on  one  popular  class  of  schemes  based 
on  the  RSA  assumption  (cf.  Section  7.2.4). 

10.4.1  “Textbook  RSA”  and  its  Insecurity 

Let  GenRSA  be  a ppt  algorithm  that,  on  input  1”,  outputs  a modulus  N 
that  is  the  product  of  two  n-bit  primes,  along  with  integers  e,  d satisfying 
ed  — \ mod  0(A).  (As  usual,  the  algorithm  may  fail  with  negligible  probabil- 
ity but  we  ignore  that  here.)  Recall  from  Section  7.2.4  that  such  an  algorithm 
can  be  easily  constructed  from  any  algorithm  Gen  Mod  ulus  that  outputs  a 
composite  modulus  A along  with  its  factorization: 
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ALGORITHM  10.14 
RSA  key  generation  GenRSA 

Input:  Security  parameter  1” 

Output:  N,  e,  d as  described  in  the  text 

(AT,p,  g)  •«— GenModulus(l”) 

0(AT)  :=(p-l)(g-l) 
choose  e such  that  gcd(e,  4>(N))  = 1 
compute  d :=  [e“^  mod  0(A)] 
return  N,  e,  d 


We  present  what  we  call  the  “textbook  RSA”  encryption  scheme  as  Con- 
struction 10.15.  We  refer  to  the  scheme  as  we  do  since  many  textbooks  de- 
scribe RSA  encryption  in  exactly  this  way  with  no  further  warning.  Unfortu- 
nately, “textbook  RSA”  encryption  is  deterministic  and  hence  automatically 
insecure  as  we  have  already  discussed  extensively  in  Section  10.2.1.  Even 
though  it  is  insecure,  we  show  it  here  since  it  provides  a quick  demonstration 
of  why  the  RSA  assumption  is  so  useful  for  constructing  public-key  encryption 
schemes,  and  it  serves  as  a useful  stepping-stone  to  the  secure  construction 
we  show  in  Section  10.4.3.  (Presenting  the  textbook  RSA  scheme  also  gives 
us  the  opportunity  to  issue  our  own  warning  against  using  it.)  - We  discuss 
how  the  RSA  assumption  can  be  used  to  construct  secure  encryption  schemes 
later  in  this  chapter,  and  in  Chapter  13. 


CONSTRUCTION  10.15 

Let  GenRSA  be  as  in  the  text.  Define  a public-key  encryption  scheme  as 
follows: 

• Gen:  on  input  1”  run  GenRSA(l”)  to  obtain  N,  e,  and  d.  The 
public  key  is  {N,  e)  and  the  private  key  is  {N,  d) . 

• Enc:  on  input  a public  key  pk  = {N,  e)  and  a message  m G 
compute  the  ciphertext 

c :=  [m^  mod  N], 

• Dec:  on  input  a private  key  sk  — {N,  d)  and  a ciphertext  c G Z)v) 
compute  the  message 

m :=  [c^  mod  N], 


The  “textbook  RSA”  encryption  scheme. 

The  fact  that  decryption  always  succeeds  in  recovering  the  message  follows 
immediately  from  Corollary  7.22.  As  for  the  security  of  the  scheme,  one 
thing  we  can  claim  is  that  computing  the  private  key  is  as  hard  as  factoring 
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moduli  output  by  GenRSA.  The  reason  for  this  is  that,  as  mentioned  briefly  in 
Section  7.2.4,  given  N — pq  and  e,  d with  ed  = 1 mod  it  is  possible  to 

compute  the  factors  of  N in  polynomial  time.  We  emphasize  that  this  result 
says  nothing  about  whether  the  message  can  be  recovered  from  the  ciphertext 
using  other  means  (that  do  not  involve  explicit  computation  of  the  private 
key),  nor  does  it  imply  that  the  encryption  scheme  itself  is  secure. 

Although  “textbook  RSA”  is  not  secure  with  respect  to  any  of  the  defini- 
tions of  security  we  have  proposed  in  this  chapter,  it  is  possible  to  prove  a 
very  weak  form  of  security  for  the  scheme  if  the  RSA  assumption  holds  for 
GenRSA  (cf.  Definition  7.46).  Namely,  one  can  show  that  if  a message  m is 
chosen  uniformly  at  random  from  , then  no  PPT  adversary  given  the  public 
key  {N,  e)  and  the  resulting  ciphertext  c = [m®  mod  N]  can  recover  the  entire 
message  m.  This  is  indeed  a rather  weak  guarantee:  m must  be  chosen  at 
random  (so,  in  particular,  it  is  not  clear  what  we  can  say  when  m corresponds 
to  English-language  text),  and  furthermore  the  only  thing  we  can  claim  is  that 
an  adversary  does  not  learn  everything  about  m (but  it  may  learn  a lot  of 
partial  information  about  m) . It  thus  does  not  constitute  a reasonable  notion 
of  security  for  most  applications. 

RSA  Implementation  Issues 

We  close  this  section  with  a brief  discussion  of  some  practical  aspects  related 
to  RSA  encryption.  The  discussion  here  applies  not  only  to  the  textbook  RSA 
scheme,  but  also  to  other  schemes  that  rely  on  the  RSA  assumption. 

Encoding  binary  strings  as  elements  of  Let  i = ||A||.  Any  binary 
string  m of  length  i — 1 can  be  viewed  as  an  element  of  Z/^  in  the  natural 
way.  It  is  also  possible  to  encode  strings  of  varying  lengths  as  elements  of  Z;v 
by  padding  using  some  unambiguous  padding  scheme. 

A theoretical  concern  is  that  the  (encoded)  message  m may  not  lie  in  1/^ 
(i.e.,  it  may  be  the  case  that  gcd(m,  A)  1).  Even  if  this  occurs,  decryp- 
tion still  succeeds  as  shown  in  Exercise  7.10.  If  m is  chosen  at  random,  the 
probability  of  this  event  is  low  (by  Proposition  B.17).  Moreover,  even  if  a 
sender  tried  to  find  an  m that  did  not  lie  in  they  would  be  unable  to  do  so 
without  factoring  N:  given  m E value  gcd(m,  N)  is  a non-trivial 

factor  of  A. 

Choice  of  e.  There  does  not  appear  to  be  any  difference  in  the  hardness  of  the 
RSA  problem  for  different  exponents  e and,  as  such,  different  methods  have 
been  suggested  for  selecting  e.  One  popular  choice  is  to  set  e = 3,  since  then 
computing  eth  powers  modulo  N (as  done  when  encrypting  in  the  textbook 
RSA  scheme)  requires  only  two  multiplications  (see  Appendix  B.2.3).  If  e is 
to  be  set  equal  to  3,  then  p and  q must  be  chosen  to  satisfy  p,q^l  mod  3 so 
that  gcd(e,  4>{N))  — 1. 

Choosing  e = 3 leaves  the  textbook  RSA  scheme  vulnerable  to  certain 
attacks,  some  of  which  are  illustrated  in  the  following  section.  This  should  be 


358 


taken  more  as  an  indication  of  the  inadequacy  of  Construction  10.15  than  as 
an  indication  that  setting  e = 3 is  a bad  choice. 

Note  that  choosing  d to  be  small  in  order  to  speed  up  decryption  (that  is, 
changing  GenRSA  so  that  a small  d is  chosen  first  and  then  computing  e)  is 
a bad  idea.  If  d is  chosen  in  a small  range  (say,  d < 2^®)  then  a brute-force 
search  for  d is  easy  to  carry  out.  Even  if  d is  chosen  so  that  d ^ and  so 

brute-force  attacks  are  ruled  out,  there  are  other  potential  attacks  that  can 
be  used  to  recover  d from  the  public  key. 

Using  the  Chinese  remainder  theorem.  The  receiver,  who  holds  the 
private  key  and  hence  the  factorization  of  N,  can  utilize  the  Chinese  remainder 
theorem  (Section  7.1.5)  to  speed  up  computation  of  dth  roots  modulo  N,  as 
is  necessary  when  decrypting.  Specifically,  since  we  have  the  correspondence 
{c^  mod  N]  •(->  i\c^  modp],  [d^  mod  q]),  the  receiver  can  compute  the  partial 
results 

rrip  :=  mod  p = (p-i)J  jjiod  p 

and 

TUq  :=  d^  mod  q = jjiod  q 

and  then  combine  these  to  obtain  m <r^  {rrip,  niq)  as  discussed  in  Section  7.1.5. 
Note  that  [d  mod  (p  — 1)]  and  [d  mod  (q  — 1)]  can  be  computed  and  stored 
at  the  time  of  key  generation,  and  so  do  not  have  to  be  recomputed  every 
time  decryption  is  performed.  Assuming  that  exponentiation  modulo  a u-bit 
integer  takes  operations,  we  have  that  straightforward  RSA  decryption 
takes  8n^  steps  (because  11^11  = 2n),  whereas  using  Chinese  remaindering  it 
can  be  carried  out  in  2n^  steps;  or  1/4  of  the  time!  Such  optimizations  that 
speed  up  decryption  are  of  great  importance  because  it  is  often  the  case  that 
a server  needs  to  carry  out  many  decryption  operations  simultaneously. 

Example  10.16 

Say  p — 11,  q = 23,  and  e = 3.  Then  N = 253,  = 220,  and  d = 147. 

To  encrypt  the  binary  message  m = 0111001  with  textbook  RSA  and  the 
public  key  pk  = {N  = 253,  e = 3),  simply  interpret  m as  the  number  57  (and 
hence  an  element  of  Z253)  in  the  natural  way.  Then  compute 

250  ;=  [57^  mod  253]. 

To  decrypt,  compute  57  :=  [250^^^^  mod  253].  Alternatively,  using  the  Chinese 
remainder  theorem  the  receiver  could  compute 

250^^^^^  mod  11  = 8^  mod  11  = 2 

and 

25q[i47  mod  22]  ^3  = 20^^  mod  23  = 11. 

Indeed,  57  <->•  (2, 11)  and  so  decryption  succeeds.  (The  desired  answer  can  be 
recovered  from  the  representation  (2, 11)  as  described  in  Section  7.1.5.)  <0> 
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10.4.2  Attacks  on  Textbook  RSA 

To  obtain  more  of  a feeling  for  the  RSA  problem,  as  well  as  to  illustrate 
additional  problems  with  textbook  RSA  encryption,  we  now  describe  various 
attacks,  some  of  which  apply  only  to  Construction  10.15  and  some  of  which 
apply  more  generally.  We  emphasize  that  none  of  these  attacks  indicate  any 
vulnerability  in  provably-secure  encryption  schemes  based  on  the  RSA  as- 
sumption, such  as  the  one  we  will  see  in  the  next  section,  when  these  schemes 
are  used  properly. 

Encrypting  short  messages  using  small  e.  If  e is  small  then  the  encryp- 
tion of  “small”  messages  is  insecure  when  using  textbook  RSA  encryption. 
For  example,  say  e = 3 and  the  message  m is  such  that  m < but  m is 

otherwise  unknown  to  an  attacker.  (We  assume  in  this  case  that  m is  padded 
to  the  left  with  Os  and  then  interpreted  as  an  element  of  Zjy.)  In  this  case, 
encryption  of  m does  not  involve  any  modular  reduction  since  the  integer 
is  less  than  N.  This  means  that  given  the  ciphertext  c = [m^  mod  N] 
an  attacker  can  determine  m by  computing  m c^^^  over  the  integers,  a 
computation  that  can  be  easily  carried  out. 

Note  that  this  is  actually  a realistic  attack  scenario:  if  strings  are  encoded 
as  elements  of  Z^,  then  having  m < corresponds  to  the  encryption 

of  a short  message  m having  length  less  than  ||A||  /3  (assuming  messages 
are  encoded  by  padding  to  the  left  with  Os) . Consider  the  case  of  hybrid  " 
encryption  where  1024-bit  RSA  is  used  to  encrypt  a secret  key  of  length  128 
bits;  in  this  case  the  key  may  be  easily  extracted. 

A general  attack  when  small  e is  used.^  The  above  attack  shows  that 
short  messages  can  be. recovered  easily  from  their  encryption  if  textbook  RSA 
with  small  e is  used.  Here,  we  extend  the  attack  to  the  case  of  arbitrary-length 
messages  as  long  as  the  same  message  is  sent  to  multiple  receivers. 

Let  e = 3 as  before,  and  say  the  same  message  m is  sent  to  three  different 
parties  holding  public  keys  pk\  — (Ai,3),  pk2  — (A2,3),  and  pk^  — (As,  3), 
respectively.  Then  an  eavesdropper  sees 

Cl  - [m^  mod  Ai]  and  ' C2  — [m^  mod  A2]  and  C3  - [m^  mod  A3]. 

Assume  gcd(A^,  Aj)  = 1 for  all  i,j  (if  not,  then  at  least  one  of  the  moduli 
can  be  factored  immediately  and  the  message  m can  be  easily  recovered) . Let 
A*  = A1A2A3.  An  extended  version  of  the  Chinese  remainder  theorem  says 
that  there  exists  a unique  non-negatiVe  value  c < A*  such  that: 

c — c\  mod  N\ 

C — C2  mod  A2 
c — cs  mod  A3. 

^This  attack  relies  on  the  Chinese  remainder  theorem  presented  in  Section  7.1.5. 
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Moreover,  using  techniques  similar  to  those  shown  in  Section  7.1.5  it  is  possible 
to  compute  c efSciently  given  the  public  keys  and  the  above  ciphertexts.  Note 
that  c — mod  N*.  But  since  m < min{Ni,  N2,  N^}  we  have  < N*.  As 
in  the  previous  attack,  this  means  that  c = over  the  integers  (i.e.,  with  no 
modular  reduction  taking  place),  and  m can  be  obtained  by  computing  the 
integer  cube-root  of  c. 

A quadratic  improvement  in  recovering  m.  Since  textbook  RSA  encryp- 
tion is  deterministic,  we  know  that  if  the  message  m is  chosen  from  a small 
list  of  possible  values  then  it  is  possible  to  determine  m from  the  ciphertext 
c = [m^  mod  N]  by  simply  trying  each  possible  value  of  m as  discussed  in  Sec- 
tion 10.2.1.  If  we  know  that  1 < m < C (when  interpreting  m as  an  integer), 
then  the  time  to  carry  out  this  attack  is  linear  in  C.  Thus,  one  might  hope  that 
textbook  RSA  encryption  could  be  used  when  C is  large,  i.e.,  the  message  is 
chosen  from  some  reasonably-large  set  of  values.  One  possible  scenario  where 
this  might  occur  is  in  the  context  of  hybrid  encryption  (see  Section  10.3), 
where  the  “message”  that  is  encrypted  directly  by  the  public-key  component 
is  a random  secret  key  of  length  and  so  jC  = 2^. 

Unfortunately,  there  is  a clever  attack  that  recovers  m in  this  case  (with 
high  probability)  in  time  roughly  yfC.  This  is  a significant  improvement  in 
practice:  if  an  80-bit  (random)  message  is  encrypted,  then  a brute-force  attack 
taking  2r^  steps  is  infeasible,  but  an  attack  taking  2“*°  steps  is  relatively  easy 
to  carry  out. 

A description  of  the  attack  appears  below  in  Algorithm  10.17.  In  the  de- 
scription of  the  algorithm,  we  assume  that  m < 2^  (i.e.,  C — 2^)  and  that  the 
attacker  knows  i.  The  value  a is  a constant  with  | < a < 1. 


ALGORITHM  10.17 

An  attack  on  textbook  RSA  encryption 

Input:  Public  key  {N,e);  ciphertext  c;  parameter  £ 
Output:  m < 2^  such  that  = c mod  N 

set  T :=  2“^ 
for  r = 1 to  T: 

Xi  :=  [c/r®  mod  N] 

sort  the  pairs  {(r,Xr)}^-i  by  their  second  component 
for  s = 1 to  T: 

7 

if  [s®  mod  N]  = Xr  for  some  r 
return  [r  • s mod  N] 


In  the  algorithm,  if  an  r that  is  not  invertible  modulo  N is  ever  encountered, 
then  the  factorization  of  N can  be  easily  computed  (because  this  means  that 
gcd(r,  AT)  ^ 1);  we  do  not  bother  explicitly  writing  this  in  our  description  of 
the  algorithm. 
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The  time  complexity  of  the  algorithm  is  dominated  by  the  time  required  to 
sort  the  2“^  pairs  {i,Xi)\  this  can  be  done  in  time  0{£  ■ 2°"^).  Binary  search 
is  used  in  the  second-to-last  line  to  check  whether  there  exists  an  r with 
Xr  = [s®  mod  N], 

We  how  sketch  why  the  attack  recovers  m with  high  probability.  Let  c = 
mod  N with  m < 2^.  If  m is  chosen  as  a random  ^-bit  integer,  it  can 
be  shown  that  with  good  probability  there  exist  r,  s with  1 < r,  s < 2°^^  and 
m = r ■ s.  (See  the  references  at  the  end  of  the  chapter.)  We  claim  that 
whenever  this  occurs,  the  above  algorithm  finds  m.  Indeed,  in  this  case 

c = = (r  • sY  = mod  N, 

and  so  c/r®  = s®  mod  N with  r,s  < T.  It  is  easy  to  verify  that  the  algorithm 
finds  r,  s in  this  case.  If  you  were  not  yet  convinced,  then  this  attack  should 
tell  you  never  to  use  deterministic  encryption,  even  if  you  are  encrypting  large 
random  keys. 

Common  modulus  attack  I.  This  is  a classic  example  of  misuse  of  RSA. 
Imagine  that  a company  wants  to  use  the  same  modulus  N for  each  of  its 
employees.  Since  it  is  not  desirable  for  messages  encrypted  to  one  employee 
to  be  read  by  any  other  employee,  the  company  issues  different  (e^,  to  each 
employee.  That  is,  the  public  key  of  the  zth  employee  is  pki  = (TV,  Ci)  and 
their  private  key  is  sk  = {N,  di),  where  = 1 mod  (p{N)  for  all  i. 

This  approach  is  insecure,  and  allows  any  employee  to  read  messages  en- 
crypted to  all  other  employees.  The  reason  is  that,  as  noted  in  Section  7.2.4, 
given  N and  e^,di  with  Ci  ■ di  = 1 mod  (p{N),  the  factorization  of  N can  be 
efficiently  cornputed.  Given  the  factorization  of  N,  of  course,  it  is  possibleTo 
compute  dj  :=  ej^  mod  (p{N)  for  any  j. 

Common  modulus  attack  II.  The  attack  just  shown  allows  any  employee  to 
decrypt  messages  sent  to  any  other  employee.  This  still  leaves  the  possibility 
that  sharing  the  modulus  N is  fine  as  long  as  all  employees  trust  each  other 
(or,  alternatively,  as  long  as  confidentiality  need  only  be  preserved  against 
outsiders  but  not  against  other  members  of  the  company).  Here  we  show  a 
scenario  indicating  that  sharing  a modulus  is  still  a bad  idea,  at  least  when 
textbook  RSA  encryption  is  used. 

Say  the  same  message  m is  encrypted  and  sent  to  two  different  (known) 
employees  with  public  keys  {N,  ei)  and  {N,  62)  where  ei  7^  62.  Assume  further 
that  gcd(ei,62)  = 1-  Then  an  eavesdropper  sees  the  two  ciphertexts 

Cl  = mod  N and  C2  = mod  N. 

Since  gcd(ei,e2)  = 1,  there  exist  integers  X,Y  such  that  Xci  -(-  ^62  = 1 by 
Proposition  7.2.  Moreover,  given  the  public  exponents  ci  and  62  it  is  possible 
to  efficiently  compute  X and  Y using  the  extended  Euclidean  algorithm  (see 
Appendix  B.1.2).  We  claim  that  m = [c^  ■ c^  mod  N],  which  can  easily  be 
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calculated.  This  is  true  because 

= m mod  N. 

Thus  it  is  much  better  to  share  the  complete  key  than  part  of  it. 

This  example  and  those  preceding  it  should  serve  as  a warning  to  only  ever 
use  RSA  (and  any  other  cryptographic  scheme)  in  the  exact  way  that  it  is 
specified.  Even  minor  and  seemingly  harmless  modifications  can  open  the 
door  to  attack. 

10.4.3  Padded  RSA 

The  insecurity  of  the  textbook  RSA  encryption  scheme,  both  vis-a-vis  the 
various  attacks  described  in  the  previous  two  sections  as  well  as  the  fact  that 
it  cannot  possibly  satisfy  Definition  10.3,  means  that  other  approaches  to  en- 
cryption based  on  RSA  must  be  considered.  One  simple  idea  is  to  randomly 
pad  the  message  before  encrypting.  A general  paradigm  for  this  approach  is 
shown  as  Construction  10.18.  The  construction  is  defined  based  on  a param- 
eter £ that  determines  the  length  of  messages  that  can  be  encrypted. 


CONSTRUCTION  10.18 

Let  GenRSA  be  as  before,  and  let  £ be  a function  with  £(n)  < 2n  — 2 for 
all  n.  Define  a public-key  encryption  scheme  as  follows: 

• Gen:  on  input  1”,  run  GenRSA(l”^)  to  obtain  (N,  e,  d).  Output  the 
public  key  pk  = {N,  e),  and  the  private  key  sk  = {N,  d). 

• Enc:  on  input  a public  key  pk  = (AT,  e)  and  a message 

m G {0,  choose  a random  string  r ■<—  {0, 

interpret  r||m  as  an  element  of  in  the  natural  way.  Output 
the  ciphertext 

c :=  [(r|lm)®  mod  A^]. 

• Dec:  on  input  a private  key  sk  = (AT,  d)  and  a ciphertext  c G 1.’^, 
compute 

m :=  [c^  mod  N], 
and  output  the  £{n)  low-order  bits  of  m. 

The  padded  RSA  encryption  scheme. 

It  is  clear  from  the  description  of  the  scheme  that  decryption  always  suc- 
ceeds. (This  is  immediate  when  r||m  € Z^,  but  is  true  even  if  r\\m  ^ 

In  any  case,  the  latter  occurs  with  only  negligible  probability.)  Security  of 
the  padded  RSA  encryption  scheme  depends  on  £.  If  £ is  too  large,  so  that 
£(n)  — 2n  — O(logn),  then  a brute-force  search  through  all  possible  values  of 
the  random  padding  r can  be  carried  out  in  = poly(n)  time  and  the 

scheme  will  not  be  CPA-secure.  This  is  not  “just”  a theoretical  concern,  since 
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it  also  implies  that  if  the  message  m is  chosen  from  a small  space  of  possibil- 
ities then  an  eavesdropper  can  use  a brute-force  search  to  determine  m. 

When  £{n)  — c ■ n for  some  constant  c < 2,  it  is  reasonable  to  conjecture 
that  padded  RSA  is  secure  but  there  is  no  known  proof  of  security  based 
on  the  standard  RSA  assumption  introduced  in  Chapter  7.  (It  is  possible, 
however,  to  prove  security  in  this  case  based  on  a non-standard  assumption; 
see  Exercise  10.9.) 

When  £{n)  is  very  small,  it  is  possible  to  prove  the  following: 

THEOREM  10.19  If  the  RSA  problem  is  hard  relative  to  GenRSA  then 
Construction  10.18  with  £{n)  = O(logn)  has  indistinguishable  encryptions 
under  a chosen-plaintext  attack. 

A full  proof  of  this  theorem  is  beyond  the  scope  of  this  book;  however,  one 
step  of  the  proof  for  £{n)  = 1 is  given  as  part  of  Exercise  10.10.^  For  a different, 
but  somewhat  related,  way  to  construct  a secure  public-key  encryption  scheme 
based  on  the  hardness  of  RSA,  see  Section  10.7. 

PKCS  #1  vl.5.  A widely-used  and  standardized  encryption  scheme,  RSA 
Laboratories  Public-Key  Cryptography  Standard  (PKCS)  #1  version  1.5,  uti- 
lizes what  is  essentially  padded  RSA  encryption.  For  a public  key  pk  — (N,  e) 
of  the  usual  form,  let  denote  the  length  of  A"  in  bytes;  i.e.,  k is  the  integer 
satisfying  < N < 2®^.  Messages  m to  be  encrypted  are  assumed  to  be 

a multiple  of  8 bits  long,  and  can  have  length  up  to  A:  — 11  bytes.  Encryption 
of  a message  m that  is  E>-bytes  long  is  computed  as 

[(00000000||00000010||r||00000000||m)®  mod  A]  , 

where  r is  a randomly-generated  string  of  {k  — D — 3)  bytes,  with  none  of 
these  bytes  equal  to  0.  (This  latter  condition  on  r simply  enables  the  message 
to  be  unambiguously  recovered  upon  decryption.)  Note  that  the  maximum 
allowed  length  of  m ensures  that  the  length  of  r is  at  least  8 bytes. 

PKCS  #1  vl.5  is  believed  to  be  CPA-secure,  although  no  proof  based  on 
the  RSA  assumption  has  ever  been  shown.  Subsequent  to  the  introduction  of 
PKCS  #1  vl.5,  a chosen-ciphertext  attack  on  this  scheme  was  demonstrated. 
This  motivated  a change  in  the  standard  to  a newer  scheme  called  OAEP 
(for  Optimal  Asymmetric  Encryption  Padding)  that  has  been  proven  secure 
against  such  attacks  (in  what  is  called  the  random  oracle  model;  see  Chap- 
ter 13).  This,  updated  version  is  preferred  for  new  implementations,  though 
the  older  version  is  still  widely  used  for  reasons  of  backwards-compatibility. 
We  present  a high-level  description  of  this  scheme  in  Section  13.2.3. 


^For  those  who  have  covered  Chapter  6,  we  remark  that  the  theorem  relies  on  the  fact  that 
the  least-significant  bit  is  a hard-core  predicate  for  RSA. 
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10.5  The  El  Gamal  Encryption  Scheme 

The  El  Gamal  encryption  scheme  is  another  popular  encryption  scheme, 
and  its  security  can  be  based  on  the  hardness  of  the  decisional  Difhe-Hellman 
(DDH)  problem.  The  DDH  problem  is  discussed  in  detail  in  Section  7.3.2. 

We  begin  by  stating  and  proving  a simple  lemma  that  underlies  the  El 
Gamal  encryption  scheme  and  will  also  be  useful  for  our  work  in  Chapter  11. 
Let  G be  a finite  group,  and  let  m G G be  an  arbitrary  element.  Essentially, 
the  lemma  states  that  multiplying  m by  a random  group  element  g yields  a 
random  group  element  g'.  Since  the  distribution  of  g'  is  independent  of  m, 
this  means  that  g'  contains  no  information  about  m.  That  is: 

LEAIAIA  10.20  Let  G be  a finite  group,  and  let  m ^ G be  an  arbitrary 
element.  Then  choosing  random  p ■*—  G and  setting  g'  m ■ g gives  the  same 
distribution  for  g'  as  choosing  random  g'  G.  I.e.,  for  any  g € G 

Pr[m -^  = p].=  1/|G|, 

where  the  probability  is  taken  over  random  choice  of  g. 

PROOF  Let  ^ G G be  arbitrary.  Then 

Pr[m  • = Pr[^?  = ■ ^]. 

Since  g is  chosen  uniformly  at  random,  the  probability  that  g is  equal  to  the 
fixed  element  m~^  ■ g is  exactly  1/|G|.  | 


The  above  lemma  suggests  a way  to  construct  a perfectly-secret  private-key 
encryption  scheme  that  encrypts  messages  in  G.  The  sender  and  receiver  share 
as  their  secret  key  a random  element  ^ G.  Then,  to  encrypt  the  message 
m G G,  the  sender  computes  the  ciphertext  g'  m • g.  The  receiver  can 
recover  the  message  from  the  ciphertext  g'  by  computing  m :=  g' /g.  Perfect 
secrecy  of  this  schemes  follows  immediately  from  the  lemma.  In  fact,  we  have 
already  seen  this  scheme  in  a different  guise  — the  one-time  pad  encryption 
scheme  is  exactly  an  example  of  the  above  approach,  with  the  underlying 
group  being  the  set  of  strings  of  some  fixed  length  under  the  group  operation 
of  bit-wise  XOR. 

In  the  scheme  as  we  have  described  it,  g is  truly  random  and  decryption  is 
possible  only  because  the  sender  and  receiver  have  shared  g in  advance.  In 
the  public-key  setting,  a different  technique  is  needed  to  allow  the  receiver  to 
decrypt.  The  crucial  idea  is  to  use  a “pseudorandom”  element  g rather  than 
a truly  random  one.  In  a bit  more  detail,  g will  be  defined  in  such  a way  that 
the  receiver  will  be  able  to  compute  g using  her  private  key,  yet  g will  “look 
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random”  for  any  eavesdropper.  We  now  see  how  to  implement  this  idea  using 
the  DDH  assumption,  and  this  discussion  should  become  even  more  clear  once 
we  see  the  proof  of  Theorem  10.22. 

As  in  Section  7.3.2,  let  ^ be  a polynomial- time  algorithm  that,  on  input  1", 
outputs  a description  of  a cyclic  group  G,  its  order  q (with  \\q\\  — n),  and  a 
generator  g.  (As  usual,  we  also  require  that  the  group  operation  in  G can 
be  computed  in  time  polynomial  in  n,  and  we  allow  that  Q may  fail  with 
negligible  probability.)  One  use  of  El  Gamal  encryption  is  with  G being  an 
elliptic  curve  group;  such  groups  were  introduced  briefly  in  Section  7.3.4  and 
have  the  advantage  of  enabling  the  use  of  much  shorter  keys. 

The  El  Gamal  encryption  scheme  is  defined  as  follows: 


CONSTRUCTION  10.21 

Let  ^ be  as  in  the  text.  Define  a public-key  encryption  scheme  as  follows: 

• Gen:  on  input  1”  run  to  obtain  (G,q,g).  Then  choose  a 

random  x "Lq  and  compute  h :=  g^.  The  public  key  is  (G,  q,  g,  h) 
and  the  private  key  is  (G,  q,  g,  x). 

• Enc:  on  input  a public  key  pk  = (G,  q,  g,  h)  and  a message  m G G, 
choose  a random  y 'Zg  and  output  the  ciphertext 

{g^,  • m). 

• Dec:  on  input  a private  key  sk  = {G,q,g:,x)  and  a ciphertext 
(ci,C2),  output 

m :=  ^ 


The  El  Gamal  encryption  scheme. 


To  see  that  decryption  succeeds,  let  (ci,C2)  = {g^ -m)  with  h — g^. 
Then 

C2  ■ m {g^^Y  ‘ ^ _ 

cf  ~ {g'^Y  ~ ~ 9^'^  ~~  ^ 

To  fully  specify  the  scheme,  we  need  to  show  how  tO  encode  binary  strings  as 
elements  of  G.  We  discuss  this  at  the  end  of  this  section. 

We  now  prove  the  security  of  the  El  Gamal  encryption  scheme.  The  reader 
may  want  to  compare  the  proof  of  the  following  theorem  to  the  proofs  of 
Theorems  3.16  and  9.3. 

THEOREAI  10.22  If  the  DDH  problem  is  hard  relative  to  Q,  then  the  El 
Gamal  encryption  scheme  has  indistinguishable  encryptions  under  a chosen- 
plaintext  attack. 
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PROOF  Let  II  denote  the  El  Gamal  encryption  scheme.  We  prove  that 
n has  indistinguishable  encryptions  in  the  presence  of  an  eavesdropper.  By 
Theorem  10.10  this  implies  that  it  is  CPA-secure. 

Let  A be  a probabilistic,  polynomial-time  adversary,  and  define 

£(n)  Pr[PubKXn(^)  = !]• 

Consider  the  modified  “encryption  scheme”  II  where  Gen  is  the  same  as  in  IT, 
but  encryption  of  a message  m with  respect  to  the  public  key  (G,  q,g,h)  is 
done  by  choosing  random  y ■«—  and  z <r-  Xq  and  outputting  the  ciphertext 

{gy,  g^  ■ m). 

Although  n is  not  actually  an  encryption  scheme  (as  there  is  no  way  for  the 
receiver  to  decrypt),  the  experiment  PubK^'~  (n)  is  still  well-defined  since  that 
experiment  depends  only  on  the  key  generation  and  encryption  algorithms. 

Lemma  10.20  and  the  discussion  that  immediately  follows  it  imply  that  the 
second  component  of  the  ciphertext  in  scheme  II  is  a uniformly-distributed 
group  element  and,  in  particular,  is  independent  of  the  message  m being  en- 
crypted. (Remember  that  g^  is  a random  element  of  G when  2:  is  chosen  at 
random  from  Z^.)  The  first  component  of  the  ciphertext  is  trivially  indepen- 
dent of  m.  Taken  together,  this  means  that  the  entire  ciphertext  contains  no 
information  about  m.  It  follows  that 

Pr[PubK“}j(n)  = 1]  = 1 . 

Now  consider  the  following  ppt  algorithm  D that  attempts  to  solve  the 
DDH  problem  relative  to  Q (recall  that  D receives  (G,  y,  y,  yi,  ^25^3)  where 
gi  — g^ , g2  ^ gy  1 and  ys  equals  either  g^y  or  y^,  for  random  x,y,z): 

Algorithm  D: 

The  algorithm  is  given  G,  y, y,  yi , y2,  ys  as  input. 

• Set  pk  = g,  gi)  and  run  A{pk)  to  obtain  two  messages, 

mo,  mi. 

• Choose  a random  bit  b,  and  set  Ci  p2  and  C2  :=  gs  ■ ‘^b- 

• Cive  the  ciphertext  (ci,  C2)  to  A and  obtain  an  output  bit  6'. 

If  6'  = 6,  output  1;  otherwise,  output  0. 

Let  us  analyze  the  behavior  of  D.  There  are  two  cases  to  consider; 

Case  1:  Say  the  input  to  D is  generated  by  running  ^(1”)  to  obtain  (G,  y,y), 
then  choosing  random  x,y,z  Z^,  and  finally  setting  yi  :=  y^,  y2  :=  y^,  and 
y3  :=  y^.  Then  D runs  A on  a public  key  constructed  as 


pk  = (G,y,y,y^) 
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and  a ciphertext  constructed  as 

(ci,C2)  = {gy,  • rub). 

We  see  that  in  this  case  the  view  of  A when  run  as  a subroutine  by  D is  dis- 
tributed identically  to  ^’s  view  in  experiment  PubK^'~  (n).  Since  D outputs  1 
exactly  when  the  output  b'  of  A is  equal  to  6,  we  have  that 

Pv[D{G,q,g,g^,gy,g^)  = 1]  = Pr[PubK^]~  (n)  = 1]  = i . 

Case  2:  Say  the  input  to  D is  generated  by  running  ^(1”)  to  obtain  (G,  q,g), 
then  choosing  random  x,y  Zg,  and  finally  setting  gi  g^,  g2  :=  g^,  and 
^3  :=  g^y . Then  D runs  ^ on  a public  key  constructed  as 

pk  = (G,q,g,g^) 

and  a ciphertext  constructed  as 

(ci,  C2)  = {gy,  g^y  ■ mb)  = (5-^,  • mb). 

We  see  that  in  this  case  the  view  of  A when  run  as  a subroutine  by  D is 
distributed  exactly  as  ^’s  view  in  experiment  PubK^^n(^)-  Since  D outputs  1 
exactly  when  the  output  b'  of  A is  equal  to  b,  we  have  that 

Pr[£>(G.9,5.^7‘'.5^S*’')  = 1|  = PrlPubKS:!,^  = 1]  = s(n)  ■ 

Since  the  DDH  problem  is  hard  relative  to  Q,  there  must  exist  a negligible 
function  negj  such  that 

negl(n)  > j Pr[£>(G,  9. = 1]  -Pr[Z3(G,9;9r9‘';5'':s‘''')  = 1]  ■ 

= \ ■ 

This  implies  that  e(n)  < | + negl(n),  completing  the  proof.  | 

El  Gamal  Implementation  Issues 

We  briefly  discuss  a few  practical  aspects  related  to  El  Gamal  encryption. 

Encoding  binary  strings.  As  noted  earlier,  in  order  to  fully  specify  a 
usable  encryption  scheme  we  need  to  show  how  to  encode  binary  strings  as 
elements  of  G.  This,  of  course,  depends  on  the  particular  type  of  group 
under  consideration.  We  sketch  one  possible  encoding  when  G is  taken  to  be 
the  subgroup  of  quadratic  residues  modulo  a strong  prime  p as  discussed  in 
Section  7.3.3.  The  encoding  we  present  was  chosen  for  simplicity,  and  more 
efficient  encodings  are  possible. 
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Let  p be  a strong  prime,  i.e.,  q — {p  — l)/2  is  also  prime.  Then  the  set 
of  quadratic  residues  modulo  p forms  a group  G of  order  q under  multipli- 
cation modulo  p.  We  can  map  the  integers  l)/2}  to  the  set  of 

quadratic  residues  modulo  p by  squaring:  that  is,  the  integer  rh  is  mapped 
to  the  quadratic  residue  m — [m?  mod  p ] . This  encoding  is  one-to-one  and 
efficiently  reversible.  It  is  one-to-one  since  any  quadratic  residue  [m^  mod  p ] 
has  exactly  the  two  square  roots  [±m  mod  p ] , and  exactly  one  of  these  values 
lies  in  the  range  {l,...,(p— l)/2}.  (This  is  so  because  [m  mod  p 1 < (p-l)/2 
if  and  only  if  [—rh  modp]  = p — [m  modp]  > (p  — l)/2.)  The  encoding  is 
efficiently  invertible  since  square  roots  modulo  p are  easy  to  compute  (the 
interested  reader  is  referred  to  Sections  11.1.1  and  11.2.1). 

Given  the  above,  we  can  map  a string  m of  length  n— 1 to  an  element  m G G 
in  the  following  way  (recall  that  n — given  a string  rh  G {0,1}^“^, 

interpret  it  as  an  integer  in  the  natural  way  and  add  1 to  obtain  an  integer  rh 
with  1 < rh  < q (recall  q — {p—  l)/2).  Then  take  m - [rh^  mod  p]. 


Example  10.23 

Let  q — 83  and  p — 2q  + l — 167,  and  let  G be  the  group  of  quadratic  residues 
modulo  p.  Since  q is  prime,  any  element  of  G except  1 is  a generator;  take 
p = 2^  = 4 mod  167.  Say  the  receiver  chooses  secret  key  37  G Zgs  and  so  the 
public  key  is 

pk  = (167, 83,  4,  [4^^  mod  167])  = (167,  83,  4,  76). 

To  encrypt  the  6-bit  message  rh  = 011101,  view  it  as  the  integer  29  and 
then  add  1 to  obtain  rh  = 30.  Squaring  this  gives  m — [30^  mod  167]  = 65. 
This  is  our  encoding  of  the  message.  Picking  p = 71  when  encrypting,  we 
obtain  the  ciphertext 

([4^^  mod  167],  [76^^  • 65  mod  167])  = (132,  44). 

To  decrypt,  the  receiver  first  computes  124  = [132^^  mod  167];  then,  since 
66  = [124'’^  mod  167],  the  receiver  can  recover  m — 65  — [44  • 66  mod  167]. 
This  m has  the  two  square  roots  30  and  137,  but  the  latter  is  greater  than  q. 
So  rh  = 30  and  rh  is  determined  to  be  the  binary  representation  of  29.  <0 

Sharing  public  parameters.  Our  description  of  the  El  Gamal  encryp- 
tion scheme  in  Construction  10.21  requires  the  receiver  to  run  Q to  generate 
G,  q,  g.  In  practice,  however,  it  is  common  for  these  parameters  to  be  gener- 
ated “once-and-for-all”  and  then  used  by  multiple  receivers.  (For  example,  a 
system  administrator  can  fix  these  parameters  for  a particular  choice  of  secu- 
rity pararheter  n,  and  then  everyone  in  the  system  can  share  these  values.)  Of 
course,  each  receiver  must  choose  their  own  secret  value  x and  publish  their 
own  public  key  containing  h = g^. 
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Sharing  public  parameters  is  not  believed  to  compromise  the  security  of 
the  encryption  scheme  in  any  way.  Assuming  that  the  DDH  problem  is  hard 
relative  to  Q in  the  first  place,  there  is  no  problem  using  shared  public  pa- 
rameters because  the  DDH  problem  is  still  believed  to  be  hard  even  for  the 
party  who  runs  Q to  generate  G,  q,  g.  This  is  in  contrast  to  RSA,  where  the 
party  who  runs  Gen  RSA,  at  least  the  way  we  have  described  it,  knows  the  fac- 
torization of  the  modulus  N that  is  output.  Other  attacks  when  parameters 
are  shared  were  described  in  Section  10.4.2.  We  conclude  that  in  the  case  of 
RSA,  parameters  cannot  be  shared. 


10.6  Security  Against  Chosen-Ciphertext  Attacks 

Chosen-ciphertext  attacks,  in  which  an  adversary  is  allowed  to  obtain  the 
decryption  of  arbitrary  ciphertexts  of  its  choice  (with  one  technical  restriction 
described  below),  are  as  much  of  a concern  in  the  public-key  setting  as  they 
are  in  the  private-key  setting.  Arguably,  in  fact,  they  are  more  of  a concern  in 
the  public-key  setting  since  a receiver  in  the  public-key  setting  expects  to  re- 
ceive ciphertexts  from  multiple  senders,  who  are  possibly  unknown  in  advance, 
whereas  a receiver  in  the  private-key  setting  intends  only  to  communicate  with 
a single,  known  sender  using  any  particular  secret  key. 

There  are  a number  of  realistic  scenarios  in  which  chosen-ciphertext  attacks 
are  possible.  Assume  an  eavesdropper  A observes  a ciphertext  c sent  by  a 
sender  <S  to  a receiver  IZ.  In  the  public-key  setting  one  can  imagine  two  broad 
classes  of  chosen-ciphertext  attacks  that  might  occur: 

® A might  send  a ciphertext  c'  to  7?.,  but  claim  that  this  ciphertext  was 
sent  by  S.  (E.g.,  in  the  context  of  encrypted  e-mail,  A might  construct 
an  encrypted  e-mail  message  c'  and  forge  the  “From”  field  so  that  it 
appears  that  the  e-mail  originated  from  S.)  In. this  case,  although  it  is 
unlikely  that  A would  be  able  to  obtain  the  entire  decryption  m'  of  c', 
it  might  be  possible  for  A to  infer  some  information  about  m'  based 
on  the  subsequent  behavior  of  7Z.  By  generating  c'  from  c,  it  may  be 
possible  to  infer  information  about  the  message  m from  the  decryption 
of  d to,  m' . 

j 

• A might  send  a ciphertext  d to  7Z  in  its  own  name.  In  this  case,  it  may 
be  easier,  for  A to  obtain  the  entire  decryption  m'  of  d because  7Z  may 
respond  directly  to  A.  Another  possibility  is  that  A may  not  obtain 
the  decryption  of  d at  all,  but  the  content  of  m'  may  have  beneficial 
consequences  for  A (see  the  third  scenario  below  for  an  example). 

Note  that  the  second  class  of  attacks  applies  only  in  the  context  of  public-key 
encryption,  and  does  not  really  make  sense  in  the  private-key  setting.  We  now 
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give  some  scenarios  demonstrating  the  above  types  of  attacks.  In  each  case, 
we  also  discuss  the  effect  of  replaying  c itself  (i.e.,  setting  d — c)  to  illustrate 
why  the  definitional  restriction  of  disallowing  such  a query  still  results  in  a 
practically-meaningful  security  notion. 

Scenario  1.  Say  a user  S logs  in. to  her  bank  account  by  sending  an  encryption 
of  her  password  pw  to  the  bank.  (Logging  in  this  way  has  other  problems, 
but  we  ignore  these  for  now.)  Assume  further  that  there  are  two  types  of 
error  messages  that  the  bank  sends  after  a failed  login:  upon  receiving  an 
encryption  of  pw  from  a user  S,  who  is  assumed  to  have  an  account  with  the 
bank,  the  bank  sends  “invalid  password”  if  pw  contains  any  non- alphanumeric 
characters,  and  returns  “password  incorrect”  if  pw  is  a valid  password  but  it 
does  not  match  the  stored  password  of  S. 

If  an  adversary  obtains  a ciphertext  c sent  by  S to  the  bank,  the  adversary 
can  now  mount  a (partial)  chosen-ciphertext  attack  by  sending  ciphertexts  d 
to  the  bank  on  behalf  of  <S,  and  observing  the  error  messages  that  result.  This 
information  may  be  enough  to  enable  the  adversary  to  determine  the  user’s 
password.  Note  that  the  adversary  gains  no  information  about  the  user’s 
password  by  sending  c to  the  bank,  since  it  already  knows  in  this  case  that 
no  error  message  will  be  generated.® 

Scenario  2.  Say  S sends  an  encrypted  e-mail  c to  77.,  and  this  e-mail  is 
observed  by  A.  If  A sends  (in  its  o\yn  name)  an  encrypted  e-mail  d to  77.,  then 
IZ  might  reply  to  this  e-mail  and  quote  the  deerypted  text  m'  corresponding 
to  d . In  this  case,  77.  is  exactly  acting  as  a decryption  oracle  for  A and  might 
potentially  decrypt  any  ciphertext  that  A sends  it.  On  the  other  hand,  if  A 
sends  c itself  to  77.  then  77  may  get  suspicious  and  refuse  to  respond,  depending 
on  the  contents  of  the  underlying  message  m. 

Scenario  3.  A closely  related  issue  to  that  of  chosen-ciphertext  siecurity 
is  the  possible  malleability  of  ciphertexts.  Since  a formal  definition  is  quite 
involved,  we  do  not  pursue  one  here  but  instead  only  give  the  intuitive  idea. 
Say  an  encryption  scheme  has  the  property  that  given  an  encryption  c of  some 
unknown  message  m,  it  is  possible  to  come  up  with  a ciphertext  d that  is  an 
encryption  of  a message  m'  that  is  unknown,  hut  related  in  some  known  way 
to  m.  For  example,  perhaps  given  an  encryption  c of  m,  it  is  possible  to 
construct  a ciphertext  d that  is  an  encryption  of  2m.  (We  will  see  natural 
examples  of  schemes  with  this  and  similar  properties  later  in  this  section.  See 
also  Section  11.3.3.) 

Now  imagine  that  77.  is  running  an  auction,  where  two  parties  S and  A sub- 
mit their  bids  by  encrypting  them  using  the  public  key  of  77.  If  a CPA-secure 


^Re-sending  c is  an  example  of  a replay  attack,  and  in  this  example  would  have  the  negative 
effect  of  fooling  the  bank  into  thinking  that  iS  was  logging  in.  This  can  be  fixed  by  having 
the  user  encrypt  a time-stamp  along  with  her  password,  but  the  addition  of  a time-stamp 
does  not  change  the  feasibility  of  the  described  attack.  (In  fact,  it  may  make  an  attack 
easier  since  there  may  now  be  a third  error  message  indicating  an  invalid  time-stamp.) 
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encryption  scheme  having  the  above  property  is  used,  it  may  be  possible  for 
an  adversary  A to  always  place  the  highest  bid  (without  bidding  the  maxi- 
mum) by  carrying  out  the  following  attack;  wait  until  S sends  a ciphertext  c 
corresponding  to  its  bid  m (that  is  unknown  to  A)',  then,  send  a ciphertext  d 
corresponding  to  the  bid  m'  = 2m.  Note  that  both  m and  m'  remain  unknown 
to  A (until  IZ  announces  the  results),  and  so  the  possibility  of  such  an  attack 
does  not  contradict  the  fact  that  the  encryption  scheme  is  CPA-secure.  In  con- 
trast, it  can  be  shown  that  CCA-secure  schemes  are  non-malleable  meaning 
that  they  are  not  vulnerable  to  such  attacks. 

The  definition.  We  now  present  a formal  definition  of  security  against 
chosen-ciphertext  attacks  that  exactly  parallels  Definition  3.30.  (A  cosmetic 
difference  is  that  we  do  not  give  the  adversary  access  to  an  encryption  ora- 
cle; as  discussed  previously,  an  encryption  oracle  does  not  give  any  additional 
power  to  the  adversary  in  the  public-key  setting.)  For  a public-key  encryption 
scheme  II  and  an  adversary  A,  consider  the  following  experiment: 

The  CCA  indistinguishability  experiment  PubK^jj(n): 

1.  Gen(l”)  is  run  to  obtain  keys  {pk,  sk). 

2.  The  adversary  A is  given  pk  and  access  to  a decryption  or- 
acle DeCsfc(-)-  outputs  a pair  of  messages  mo, mi  of  the 
same  length.  ( These  messages  must  be  in  the  plaintext  space 
associated  with  pk .) 

3.  A random  bit  b {0, 1}  is  chosen,  and  then  a ciphertext 
c -f—  EnCpfc(mf,)  is  computed  and  given  to  A. 

4.  A continues  to  interact  with  the  decryption  oracle,  but  may 
not  request  a decryption  ofc  itself  Finally,  A outputs  a bit  b' . 

5.  The  output  of  the  experiment  is  defined  to  be  1 if  b'  = b,  and 
0 otherwise. 

DEFINITION  10.24  A public-key  encryption  scheme  II  = (Gen,  Enc,  Dec) 
has  indistinguishable  encryptions  under  a chosen-ciphertext  attack  {or  is  CCA- 
secure)  if  for  all  probabilistic  polynomial-time  adversaries  A there  exists  a 
negligible  function  x\eg\  such  that 

Pr[PubK5fnH  = 1]  < ^ + negl(n). 

We  will  not  show  any  examples  of  CCA-secure  encryption  schemes  in  this 
book,  since  proofs  of  security  for  all  existing  constructions  are  rather  complex. 
We  remark,  however,  that  a CCA-secure  encryption  scheme  based  on  the  DDH 
assumption  and  with  efficiency  roughly  twice  that  of  El  Carnal  encryption  is 
known  (see  the  references  at  the  end  of  this  chapter).  In  Chapter  13  we  dis- 
cuss CCA-secure  encryption  schemes  that  are  efficient,  but  that  can  be  proven 
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secure  only  in  an  idealized  model  explained  in  detail  there.  Constructing  sim- 
pler or  more  efScient  CCA-secure  public-key  encryption  schemes,  especially 
based  on  the  RSA  assumption,  is  an  important  open  problem. 

Examples  of  Clipsen-Ciphertext  Attacks 

The  vulnerability  of  encryption  schemes  to  chosen-ciphertext  attacks  is  not 
only  a theoretical  possibility.  We  show  here  that  all  the  schemes  we  have  seen 
so  far  are  insecure  under  such  attacks. 

Textbook  RSA  encryption.  In  our  earlier  discussion,  we  noted  that  the 
textbook  RSA  encryption  scheme  at  least  satisfies  the  following  security  prop- 
erty (assuming  the  RSA  problem  is  hard  for  GenRSA);  if  a message  m is  chosen 
uniformly  at  random  from  and  encrypted  with  respect  to  the  public  key 
(A,  e),  then  an  eavesdropping  adversary  cannot  recover  m in  its  entirety.  It 
is  not  hard  to  see  that  even  this  weak  property  no  longer  holds  if  the  ad- 
versary is  allowed  to  mount  a chosen-ciphertext  attack.  Say  an  adversary  A 
intercepts  the  ciphertext  c = [m®  mod  N] . Then  the  adversary  can  choose  a 
random  r and  compute  the  ciphertext  d — [r®  • c mod  A] . Given  the 

decryption  m'  of  this  ciphertext,  A can  recover  m = [m'  -r~^  mod  A].  To  see 
that  this  works,  note  that 

vn!  ■ r~^  = (d)‘^r~^  = (r®  • = rmr~^  = m mod  A, 

where  d is  the  value  contained  in  the  receiver’s  private  key  and  used  to  decrypt 
d (and  so  ed  = 1 mod  4>{Ny).  

Textbook  RSA  encryption  is  also  vulnerable  to  the  exact  attack  shown  in 
the  auction  scenario  discussed  earlier  (Scenario  3).  Say  an  adversary  observes 
a ciphertext  c = [m®  mod  A]  encrypted  with  respect  to  the  public  key  (A,  e) . 
Then  we  claim  that  the  ciphertext  d = [2®c  mod  A]  decrypts  to  [2m  mbd  A]. 
This  holds  because 

{d)^  = (2®m®)^  = ^ 2m  mod  A, 

where  d is  as  above. 

PKCS  #1  vl.5.  Recall  that  the  public-key  encryption  scheme  used  as  part 
of  the  PKCS  ^1  vl.5  standard  uses  a variant  of  padded  RSA  encryption 
where  a portion  of  the  padding  is  done  in  a specific  way  (and  cannot  consist 
of  arbitrary  bits) . If  a ciphertext  is  decrypted  and  discovered  not  to  have  the 
correct  format,  an  error  message  is  returned.  It  turns  out  that  the  presence  of 
these  error  messages  is  sufficient  to  enable  a chosen-ciphertext  attack  against 
the  scheme.  That  is,  given  a properly-generated  ciphertext  c,  an  attacker 
can  recover  the  underlying  message  m by  submitting  multiple  ciphertexts 
d and  observing  only  which  ciphertexts  are  decrypted  successfully  and  which 
generate  an  error.  Since  this  sort  of  information  is  easy  to  obtain  (for  example, 
from  servers  that  issue  error  messages  when  they  receive  incorrectly  formatted 


Public-Key  Encryption 


373 


messages),  the  attack  is  practical  (though  the  number  of  ciphertexts  needed 
for  the  attack  is  large). 

The  existence  of  such  a practical  chosen-ciphertext  attack  on  the  scheme 
came  as  somewhat  of  a surprise,  and  prompted  efforts  to  standardize  an 
improved  encryption  scheme  that  could  be  proven  secure  against  chosen- 
ciphertext  attacks.  These  efforts  culminated  in  (a  variant  of)  a scheme  that 
we  discuss  in  Section  13.2.3. 

El  Gamal  encryption.  The  El  Gamal  encryption  scheme  is  as  vulnerable  to 
chosen-ciphertext  attacks  as  textbook  RSA  encryption  is.  This  may  be  some- 
what surprising  since  we  have  proved  that  the  El  Gamal  encryption  scheme  is 
CPA-secure  under  the  DDH  assumption,  but  we  emphasize  again  that  there 
is  no  contradiction  since  we  are  now  considering  a stronger  attack  model. 

Say  an  adversary  A intercepts  a ciphertext  c = (ci,  C2)  that  is  an  encryption 
of  the  (encoded)  message  m with  respect  to  the  public  key  pk  = {G,  q,  g,  h). 
This  means  that 

Cl  = and  C2  — ■ m 

for  some  y G Zg  unknown  to  A.  Nevertheless,  if  the  adversary  computes 
C2  :=  C2  • m'  then  it  is  easy  to  see  that  the  ciphertext  c'  = (01,02)  is  an 
encryption  of  the  message  m ■ m' . This  observation  leads  to  an  easy  chosen- 
ciphertext  attack,  and  also  shows  that  El  Gamal  encryption  is  vulnerable  in 
the  auction  scenario  mentioned  above. 

One  might  object  that  the  receiver  will  become  suspicious  if  it  receives  two 
ciphertexts  c,  c'  that  share  the  same  first  component.  (Indeed,  for  honestly- 
generated  ciphertexts  this  occurs  with  negligible  probability.)  However,  this 
is  easy  for  the  adversary  to  avoid.  Letting  ci,  02,  m,  m'  be  as  above,  A can 
choose  a random  y"  <—  Zg  and  set  c"  :=  Ci  • g^  and  C2  :=  02  • h)^  ■ m' . Then 

Cl  = g^  ■ g^  = g^^^  and  02  = hPm  • hP' m!  — mm' , 

and  so  the  ciphertext  c"  = (c^^C2)  is  again  an  encryption  of  m • m'  but  with 
a completely  random  first  component. 


10.7  * Trapdoor  Permutations 

(This  section  relies  on  the  material  presented  in  Section  7.4.1.) 

In  Section  10.4.3  we  saw  how  to  construct  a CPA-secure  public-key  encryp- 
tion scheme  based  on  the  RSA  assumption.  By  distilling  those  properties  of 
RSA  that  are  used  in  the  construction,  and  defining  an  abstract  notion  that 
encapsulates  those  properties,  we  can  hope  to  obtain  a general  template  for 
constructing  secure  encryption  schemes  based  on  any  primitive  satisfying  the 
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same  set  of  properties.  Trapdoor  permutations,  which  are  a special  case  of 
one-way  permutations,  serve  as  one  such  abstraction. 

In  the  following  section,  we  define  families  of  trapdoor  permutations  and 
observe  that  the  RSA  family  of  one-way  permutations  (Construction  7.71) 
satisfies  the  additional  requirements  needed  to  be  a family  of  trapdoor  permu- 
tations. In  Section  10.7.2  we  show  how  a public-key  encryption  scheme  can 
be  constructed  from  any  trapdoor  permutation.  Apart  from  in  Section  10.7.2, 
the  material  in  Section  10.7.1  is  used  directly  only  in  Section  11.2,  where  a 
second  example  of  a trapdoor  permutation  is  shown;  trapdoor  permutations 
are  mentioned  in  passing  in  Chapter  13  but  are  not  essential  for  understanding 
the  material  there.  Section  10.7.2  is  not  used  in  the  rest  of  the  book. 

10.7.1  Definition 

Recall  the  definitions  of  families  of  functions  and  families  of  one-way  per- 
mutations from  Section  7.4.1.  In  that  section,  we  showed  that  the  RSA  as- 
sumption naturally  gives  rise  to  a family  of  one-way  permutations.  The  astute 
reader  may  have  noticed  that  the  construction  we  gave  (Construction  7.71)  has 
a special  property  that  was  not  remarked  upon  there:  namely,  the  parameter 
generation  algorithm  Gen  outputs  some  additional  information  along  with  I 
that  enables  effieient  inversion  of  fj.  We  refer  to  such  additional  information 
as  a trapdoor,  and  call  families  of  one-way  permutations  with  this  additional 
property  families  of  trapdoor  permutations.  A formal  definition  follows. 

DEFINITION  10.25  A tuple  of  polynomial-time  algorithms  (Gen,  Samp, 
f,  Inv)  is  a family  of  trapdoor  permutations  (or  a trapdoor  permutation)  if  the 
following  hold: 

• The  probabilistic  parameter  generation  algorithm  Gen,  on  input  1”,  out- 
puts (/,  td)  with  |/|  > n.  Each  (/,  td)  output  by  Gen  defines  a set 
T>i  — T>td- 

• Let  Geni  denote  the  algorithm  that  results  by  running  Gen  .and  outputting 
only  I.  Then  (Geni,  Samp,  /)  is  a family  of  one-way  permutations. 

• The  deterministic  inverting  algorithm  Inv,  on  input  td  and  y € out- 
puts an  element  x € T>td-  We  write  this  as  x :=  Invtd(y)-  It  is  required 
that  for  all  (7,td)  output  by  Gen(l”)  and  all  x E T>i  we  have 

lnvtd(//(rr))  = X. 

The  final  condition  means  that  //  can  be  inverted  with  td.  The  second 
condition,  in  contrast,  means  that  fi  cannot  be  efficiently  inverted  without  td. 
It  is  immediate  that  Construction  7.71  can  be  modified  to  give  a family  of 
trapdoor  permutations  as  long  as  the  RSA  problem  is  hard  relative  to  Gen  RSA. 
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We  refer  to  this  as  the  RSA  trapdoor  permutation.  Another  example  of  a 
trapdoor  permutation,  based  on  the  factoring  assumption,  will  be  given  in 
Section  11.2.2. 

10.7.2  Public-Key  Encryption  from  Trapdoor  Permutations 

We  now  sketch  how  a public-key  encryption  scheme  can  be  constructed 
from  an  arbitrary  family  of  trapdoor  permutations.  Although  the  reader  may 
better  appreciate  the  material  in  this  section  after  reading  Chapter  6,  that 
chapter  is  not  required  in  order  to  understand  this  section.  In  order  to  keep 
this  section  self-contained,  however,  some  repetition  is  inevitable. 

Before  continuing,  it  will  be  useful  to  introduce  some  shorthand.  If  the  tuple 
(Gen,  Samp,  /,  Inv)  is  a family  of  trapdoor  permutations  and  (/,  td)  is  a pair  of 
values  output  by  Gen,  we  simply  write  “x  -s—  T>K  to  denote  random  selection 
of  an  element  from  T>i  (and  no  longer  explicitly  refer  to  algorithm  Samp).  We 
also  use  in  place  of  Invtd,  with  the  understanding  that  can  only  be 
efficiently  computed  if  td  is  known.  We  will  thus  refer  to  (Gen,  /)  as  a family 
of  trapdoor  permutations,  though  formally  we  still  mean  (Gen,  Samp,  /,  Inv). 

Given  only  I and  /j(x)  for  a randomly-generated  I and  a randomly-chosen 
cc,  the  fact  that  (Geni,/)  is  a one-way  permutation  means. that  we  cannot 
expect  to  be  able  to  compute  x efficiently.  However,  this  does  not  mean  that 
certain  information  about  x (say,  the  least-significant  bit  of  x)  is  hard  to  com- 
pute. The  first  step  in  our  construction  of  a public-key  encryption  scheme  will 
be  to  distill  the  hardness  of  a family  of  trapdoor  permutation,  by  identifying 
a single  bit  of  information  that  is  hard  to  compute  about  x.  This  idea  is 
made  concrete  in  the  notion  of  a hard-core  predicate.  (For  those  who  have 
studied  Chapter  6,  the  following  is  the  natural  adaptation  of  Defiiiition  6.5  to 
our  context.)  - 

DEFINITION  10.26  Let  fi  — (Gen,/)  he  a family  of  trapdoor  permuta- 
tions.- Let  he  be  a deterministic  polynomial-time  algorithm  that,  on  input  I 
and  X € T>i,  outputs  a single  hit  hcj(x).  We  say  that  he  is  a hard-eore  predi- 
eate  of  H if  for  every  probabilistic  polynomial-time  algorithm  A there  exists  a 
negligible  function  negl  such  that 

Pr[A{I,  fi{x))  = he/(x)]  < ^ + negl(n), 

where  the  probability  is  taken  over  the  experiment  in  which  Gen(l^)  is  run  to 
generate  (7,  td)  and  then  x is  chosen  uniformly  at  random  from  T>i. 

Given  a family  H of  trapdoor  permutations  and  a predicate  he  that  is  hard- 
core for  this  family,  we  can  encrypt  a single  bit  in  the  following  way.  The 
receiver  runs  Gen(l”)  to  generate  (/,td),  and  sets  its  public  key  to  be  I and 
its  private  key  to  be  td.  Given  the  public  key  I,  the  sender  encrypts  a single 
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bit  m by:  (1)  choosing  a random  x ■«—  Dj;  (2)  computing  y :=  fi{x);  and 
(3)  sending  the  ciphertext  (^,  hc/(a:)  ©m).  To  decrypt  the  ciphertext  (y,m') 
using  private  key  td,  the  receiver  first  computes  x :=  ff^(y)  using  td,  and 
then  outputs  the  message  m :=  hc/(a:)  © m'  (see  Construction  10.27).  It  is 
easy  to  see  that  this  recovers  the  original  message. 


CONSTRUCTION  10.27 

Let  n = (Gen,  /)  be  a family  of  trapdoor  permutations,  and  let  he  be  a 
hard-core  predicate  for  II.  Construct  the  following  public-key  encryption 
scheme: 

• Gen:  on  input  1”,  run  Gen(l”)  to  obtain  (7,td).  Output  the  public 
key  I and  the  private  key  td. 

• Enc:  on  input  a public  key  I and  a message  m G {0,  1},  choose  a 
random  x -f—  T>j  and  output  the  ciphertext 

hc/(x)  © m). 

• Dec:  on  input  a private  key  td  and  a ciphertext  {y,m')  where 
y G T>td,  compute  x :=  ff^(y)  and  output  the  message  hc/(x)©m^ 

A public-key  encryption  scheme  from  any  family  of  trapdoor  permutations. 

Intuitively,  this  is  secure  since  the  fact  that  he  is  a hard-core  predicate 
for  n exactly  implies  that  hc/(a:)  is  pseudorandom  from  the  point  of  view  of 
an  eavesdropping  adversary  who  sees  the  public  key  / and  fi(x),  where  x is 
random.  Security  follows  in  a manner  analogous  to  what  we  are  familiar  with 
from  the  private-key  setting.  We  now  prove  this  formally. 

THEOREM  10.28  ^ H is  a family  of  trapdoor  permutations  and  he  is 

a hard-core  predicate  o/II,  then  Construction  10.27  has  indistinguishable  en- 
cryptions under  a chosen-plaintext  attack. 

PROOF  Let  n denote  the  public-key  encryption  scheme  given  by  Con- 
struction 10.27.  As  usual,  we  prove  that  II  has, indistinguishable  encryptions 
in  the  presence  of  an  eavesdropper,  and  use  Theorem  10.10  to  obtain  the 
stated  result. 

Let  ^ be  a probabilistic  polynomial-time  adversary,  and  define 

£(n)'&'Pr[PubKXn(«)  = ll- 

We  assume,  without  loss  of  generality,  that  the  messages  mo,  mi  output  by  A 
are  always  different.  (You  should  convince  yourself  that  this  is  indeed  without 
loss  of  generality.) 
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Consider  the  following  PPT  algorithm  ^hc  that  attempts  to  compute  hcj(a:) 
when  given  I and  y = fi{x)  as  input: 

Algorithm  A^c'- 

The  algorithm  is  given  I and  y 6 T>i  as  input . 

• Set  pk  = I and  run  A{pk)  to  obtain  mo,  rn\  6 {0, 1}. 

• Choose  independent  random  bits  2 and  h.  Set  m'  :=  nih  © 2- 

• Give  the  ciphertext  {y,m')  to  A and  obtain  an  output  bit  b'. 

If  b'  = 6,  output  2;  otherwise,  output  z (the  complement 
of  z). 

We  analyze  the  behavior  of  A^c-  Letting  a:  be  such  that  y = fi{x)  (note 
that  X is  well-defined  since  / is  a permutation),  we  can  view  z as  an  initial 
“guess”  by  Ahc  for  the  value  of  hcj(a:).  This  guess  is  correct  with  probability 
1/2,  and  incorrect  with  probability  1/2.  We  also  have 

Pr[Ac(7,/j(a:))  = hcj(a:)] 

= ^ • ^Pr[6'  = b\  z = hcj(a:)]  -|- Pr[6'  ^b  \ z^  hcj(a:)]^  . (10.13) 

When  z = hc/(a:)  the  view  of  A (being  run  as  a sub-routine  by  Ahc)  is 
distributed  identically  to  A’s  view  in  experiment  PubK^'^n(n)  with  bit  b being 
used  in  that  experiment.  This  is  true  because  in  this  case  m'  satisfies  m'  = 
rub  © hcj(a:)  for  a randomly-chosen  value  of  x,  and  so  the  ciphertext  {y,m') 
given  to  A is  indeed  a random  encryption  of  mb-  It  follows  that 

Pr[6'  = b \ z = hc/(a:)]  = Pr[PubK^]'n(n)  = 1]  = e(n). 

On  the  other  hand,  when  z ^ hcj(a:)  then  the  view  of  A (being  run  as  a sub- 
routine by  Ac)  is  distributed  exactly  as  As  view  in  experiment  PubK^)'n  (n) 
but  with  bit  b being  used  in  that  experiment.  This  follows  because  now  m' 

satisfies  

m'  = mb  © hcj(a:)  = m^  © hcj(a:), 

(recalling  our  assumption  that  mo  7^  'm\),  and  so  the  ciphertext  {y,m')  given 
to  A is  now  a random  encryption  of  m^.  Therefore 

Pr[6'  =-b\  z hcj(a:)]  = Pr[PubK^yn(n)  = 0]  = 1 — e(n) 

and  so  Pr[6'  ^ b \ z ^ hcj(a:)]  = e(n). 

Combining  the  above  with  Equation  (10.13)  we  have  that 

Pr[Ac(7, /j(a^))  = hcj(a:)]  = ^ • (^e{n)  + e(n)^  = e{n). 

Since  he  is  a hard-core  predicate  for  II  we  have  e{n)  < | + negl(n).  This 
completes  the  proof.  I 
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It  remains  only  to  show  that  families  of  trapdoor  permutations  have  hard- 
core predicates.  For  some  natural  families,  such  as  the  one  based  on  the 
RSA  assumption  that  was  discussed  in  the  previous  section,  specific  hard- 
core predicates  are  known.  (As  one  example,  it  is  known  that  if  the  RSA 
assumption  holds  then  the  least-significant  bit  is  hard-core  for  the  RSA  family 
of  trapdoor  permutations.)  For  the  general  case,  we  can  rely  on  the  following 
result  that  can  be  proved  by  a suitable  modification  of  Theorem  6.6: 

THEOREM  10.29  If  a family  of  trapdoor  permutations  II  exists,  then 
there  exists  a family  of  trapdoor  permutations  II  along  with  a predicate  he  that 
is  hard-core  for  II. 


Encrypting  longer  messages.  Using  Proposition  10.11,  we  know  that  we 
can  extend  Construction  10.27  to  encrypt  ^-bit  messages  for  any  polynomial  i. 
Doing  so,  the  ciphertext  corresponding  to  an  ^-bit  message  m = mi  • • • 
encrypted  with  respect  to  the  public  key  I would  take  the  form 

{fi{xi),  hcj(a:i)  © mi)  , . . . , {fi{xe),  )rici{xi)  © m^) 

with  xi, . . . ,X£  chosen  independently  and  uniformly  at  random  from  T>j. 

We  can  reduce  the  size  of  the  ciphertext  by  having  the  sender  instead  pro- 
ceed as  follows:  Choose  random  Xi  T>j  and  compute  x^+i  :=  fi{xi)  for 
i = \ to  I.  Then  output  the  ciphertext 

{xi+i,  hc/(a:i)  © mi,  • ■ - , hci{xi)  © m^)  . 

A proof  that  this  is  secure  uses  ideas  from  Section  6.4,  and  is  left  as  an 
advanced  exercise. 


References  and  Additional  Reading 

The  idea  of  public-key  encryption  was  first  proposed  (in  the  open  literature, 
at  least)  by  Diffie  and  Heilman  [47].  Somewhat  amazingly,  the  El  Carnal 
encryption  scheme  [59]  was  not  proposed  until  1984  even  though  it  can  be 
viewed  as  a direct  transformation  of  the  Diffie-Hellman  key  exchange  protocol 
introduced  by  Diffie  and  Heilman  in  1976  (see  Exercise  10.4).  Rivest,  Shamir, 
and  Adleman  [122]  introduced  the  RSA  assumption  and  proposed  a public-key 
encryption  scheme  based  on  this  assumption. 

Definition  10.3  is  rooted  in  the  seminal  work  of  Goldwasser  and  Micali  [69], 
who  were  also  the  first  to  recognize  the  necessity  of  probabilistic  encryption 
for  satisfying  this  definition.  A proof  of  security  for  a special  case  of  hybrid 
encryption  was  first  given  by  Blum  and  Goldwasser  ,[22] . 
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The  public-key  encryption  scheme  suggested  by  Rivest,  Shamir,  and  Adle- 
man  [122]  corresponds  to  the  textbook  RSA  scheme  shown  here.  The  attacks 
described  in  Section  10.4.2  are  due  to  [73,  45,  133,  27];  see  [99,  Chapter  8]  and 
[25]  for  additional  atta.cks  and  further  explanation.  The  PKCS  #1  RSA  Cryp- 
tography Standard  (both  the  latest  version  and  previous  versions)  is  available 
for  download  from  http:/  /www . r s a . c om/  r s al  ab  s . A proof  ofTheorem  10.19 
can  be  derived  from  results  in  [5,  75]. 

As  noted  in  Chapter  4,  chosen-ciphertext  attacks  were  first  formally  defined 
by  Naor  and  Yung  [107]  and  Rackoff  and  Simon  [121].  The  chosen-ciphertext 
attacks  on  the  “textbook  RSAV  and  El  Carnal  schemes  are  immediate;  the 
attack  on  PKCS  #1  vl.5  is  due  to  Bleichenbacher  [20].  For  more  recent  defi- 
nitional treatments  of  public-key  encryption  under  stronger  attacks,  including 
chosen-ciphertext  attacks,  the  reader  is  referred  to  the  works  of  Dolev  et  al. 
[50]  and  Bellare  et  al.  [10].  The  first  efficient  public-key  encryption  scheme 
secure  against  chosen-ciphertext  attack  was  shown  by  Cramer  and  Shoup  [39] . 
The  expository  article  by  Shoup  [129]  contains  a discussion  of  the  importance 
of  security  against  chosen-ciphertext  attacks. 

The  existence  of  public-key  encryption  based  on  arbitrary  trapdoor  permu- 
tations was  shown  by  Yao  [149],  and  the  efficiency  improvement  discussed  at 
the  end  of  Section  10.7.2  is  due  to  Blum  and  Goldwasser  [22].  The  reader 
interested  in  finding  out  more  about  hard-core  predicates  for  the  RSA  family 
of  trapdoor  permutations  is  invited  to  peruse  [5,  75,  4]  and  references  therein. 

When  using  any  encryption  scheme  in  practice  the  question  of  what  key- 
length  to  use  arises.  This  issue  should  not  be  taken  lightly,  and  we  refer  the 
reader  to  [94]  for  a treatment  of  this  issue. 


Exercises 

10.1  Assume  a public-key  encryption  scheme  for  single-bit  messages.  Show 
that,  given  pk  and  a ciphertext  c computed  via  c -s—  EnCpfc(m),  it  is 
possible  for  an  unbounded  adversary  to  determine  m with  probability  1 . 
This  shows  that  perfectly-secret  public-key  encryption  is  impossible. 

10.2  Say  a deterministic  public-key  encryption  scheme  is  used  to  encrypt 
a message  m that  is  known  to  lie  in  a small  set  of  C possible  values. 
Show  how  it  is  possible  to  determine  m in  time  linear  in  C (assume  that 
encryption  of  an  element  takes  a single  unit  of  time). 

10.3  Show  that  for  any  CPA-secure  public-key  encryption  scheme,  the  size 
of  the  ciphertext  after  encrypting  a single  bit  is  superlogarithmic  in  the 
security  parameter.  (That  is,  for  {pk,  sk)  ■«—  Gen(l”)  it  must  hold  that 
|EnCpfc(6)|  = u;(logn)  for  any  h e {0, 1}.) 

Hint:  If  not,  the  range  of  possible  ciphertexts  is  only  polynomial  in  size. 
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10.4  Show  that  any  2-round  key-exchange  protocol  (that  is,  where  each  party 
sends  a single  message)  satisfying  Definition  9.1  can  be  converted  into 
a public-key  encryption  scheme  that  is  CPA-secure. 

10.5  Show  that  in  Definition  10.7,  we  can  assume  without  loss  of  general- 
ity that  A always  outputs  two  vectors  containing  exactly  t{n)  messages 
each.  That  is,  show  how  to  construct,  for  any  scheme  II  and  any  adver- 
sary A,  an  adversary  A!  that  always  outputs  vectors  of  the  same  length 
t{n)  for  each  fixed  value  of  n and  such  that 

Pr[PubKX|^(n)  = 1)  = Pr[PubK:j?;^(n)  = 1], 

10.6  Prove  Claim  10.9. 

10.7  Fix  N,  and  assume  there  exists  an  adversary  A running  in  time  t for 
which 

Pr  mod  A"])  — x]  = 0.01, 

where  the  probability  is  taken  over  random  choice  oi  x <—  Show 

that  it  is  possible  to  construct  an  adversary  A'  for  which 

Pr  [A{[x^  mod  A])  = x]  = 0.99. 

The  running  time  t'  of  A'  should  satisfy  t'  — poly(||  A|| , t). 

Hint:  Use  the  fact  that  ' r = {y  ■ mod  N. 

10.8  The  public  exponent  e in  RSA  can  be  chosen  arbitrarily,  subject  to 
gcd(e,  0(A))  = 1.  Popular  choices  of  e include  e = 3 and  e = 2^®  -|-  1. 
Explain  why  such  e are  preferable  to  a random  value  of  the  same  length. 

Hint:  See  the  algorithm  for  modular  exponentiation  in  Appendix  B.2.3. 

10.9  Let  Gen  RSA  have  the  usual  meaning.  Consider  the  following  experiment 
for  an  algorithm  A and  a function  t with  ^(n)  < 2n  — 2 for  all  n; 

The  padded  RSA  experiment  PAD^  GenRSA,^(^)* 

(a)  Gen RSA(l”)io  obtain  output  [N,e,d). 

(b)  Give  A,  e to  A,  who  outputs  a string  m € {0, 1}^*^^^. 

(c)  Choose  random  Pq  . Choose  random  r {0, 1}H-^H  ^ 

and  set 

yi  •=  [{rWruY  mod  A]. 

(d)  Choose  random  b {0, 1}.  Adversary  A is  given  y^,  and 
outputs  a bit  b' . 

(e)  The  output  of  the  experiment  is  defined  to  be  1 if  b'  = b, 
and  0 otherwise. 
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Say  the  ^-padded  RSA  problem  is  hard  relative  to  GenRSA  if  for  all  proba- 
bilistic polynomial-time  algorithms  A there  exists  a negligible  function 
negl  such  that  Pr[PAD^, GenRSA, €(^)  = 1]  < | + negl(n). 

Prove  that  if  the  ^-padded  RSA  problem  is  hard  relative  to  GenRSA, 
then  the  padded  RSA  encryption  scheme  (Construction  10.18)  using  t 
is  CPA-secure: 

10.10  Say  a function  / is  hard-core  for  GenRSA  if  for  all  PPT  algorithms  A 
there  exists  a negligible  function  negl  such  that 


Pr[A{N,e,y,f{x))  = 1]  - Pr[A{N,  e,y;f{r))  = 1] 


< negl(n), 


where  in  each  case  the  probabilities  are  taken  over  the  experiment  in 
which  GenRSA(l”)  outputs  (N,e,d),  random  x,r  ■«—  are  chosen, 
and  y is  set  equal  to  [x^  mod  N]. 

For  X € let  Isb(x)  (resp.,  msb(a:))  denote  the  least-  (resp.,  most-) 
significant  bit  of  x when  written  as  an  integer  using  exactly  ||A’||  bits. 

Define  f{x)  msb(a:)||lsb(x).  It  can  be  shown  that  if  the  RSA  problem 
is  hard  relative  to  GenRSA,  then  / is  hard-core  for  GenRSA  [4].  Prove 
Theorem  10.19  by  relying  on  this  result. 

Hint:  _Note  that  in  Construction  10.18,  msb(r||m)  is  always  equal  to  0. 

10.11  Consider  the  following  public-key  encryption  scheme.  The  public  key 
is  (G,  g,  /i)  and  the  private  key  is  x,  generated  exactly  as  in  the  El 
Gamal  encryption  scheme.  In  order  to  encrypt  a bit  6,  the  sender  does 
the  following: 

(a)  If  6 = 0 then  choose  a random  y ■(—  Zg  and  compute  ci  = and 
C2.  = h^.  The  ciphertext  is  (ci,C2). 

(b)  If  6 = 1 then  choose  independent  random  y,  z <—  Zg , compute 
Cl  = gy  and  C2  = g^,  and  set  the  ciphertext  equal  to  (ci,C2)- 

Show  that  it  is  possible  to  decrypt  efficiently  given  knowledge  of  x. 
Prove  that  this  encryption  scheme  is  CPA-secure  if  the  decisional  Diffie- 
Hellman  problem  is  hard  relative  to  Q. 

10.12  The  natural  way  of  applying  hybrid  encryption  to  the  El  Gamal  encryp- 
tion scheme  is  as  follows.  The  public  key  is  pk  — (G,  q,  g,h)  as  in  the  El 
Gamal  scheme,  and  to  encrypt  a message  m the  sender  chooses  random 
k ■«—  {0, 1}^  and  sends 

{g^,  hf-k,  Encfc(m)), 

where  r Zg  is  chosen  at  random  and  Enc  represents  a private-key 
encryption  scheme.  Suggest  an  improvement  that  results  in  a shorter 
ciphertext  containing  only  a single  group  element  followed  by  a private- 
key  encryption  of  m. 
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10.13  Show  that  Proposition  10.11  does  not  hold  in  the  setting  of  CCA- 
security.  In  contrast,  Theorem  10.10  does  hold  in  the  setting  of  CCA- 
security.  Explain  why  in  the  setting  of  CPA  security  there  is  no  distinc- 
tion between  multiple  messages  and  a single  long  message,  whereas  in 
the  setting  of  CCA  security  there  is. 

10.14  Consider  the  following  version  of  padded  RSA  encryption.  Assume  that 
the  message  m to  be  encrypted  has  length  \\N\\  /2  (i.e.,  roughly  half  the 
length  of  the  modulus).  To  encrypt,  first  pad  m to  the  left  with  one 
byte  of  zeroes,  then  10  random  bytes,  and  then  all  zeroes;  the  result 
is  denoted  fh  (that  is,  m = (0^  ||  r ||  00000000  ||  m),  where  k is  the 
number  of  zeroes  needed  to  make  m the  appropriate  size).  Finally, 
compute  c = [m®  mod  N].  Describe  a chosen-ciphertext  attack  on  this 
scheme.  Why  is  it  easier  to  construct  a chosen-ciphertext  attack  on  this 
scheme  than  on  PKCS  ^1  vl.5? 

10.15  Let  n be  a CCA-secure  public-key  encryption  scheme  and  let  II'  be 
a CCA-secure  private-key  encryption  scheme.  Is  Construction  10.12 
instantiated  using  II  and  II'  CCA-secure?  Prove  your  answer. 

10.16  Consider  the  following  variant  of  Construction  10.27  which  gives  an 
alternative  way  of  encrypting  using  any  family  of  trapdoor  permutations: 


CONSTRUCTION  10.30 

Let  n = (Gen,/)  and  he  be  as  in  Construction  10.27. 

• Gen:  as  in  Construction  10.27. 

• Enc:  on  input  a public  key  I and  a message  m G {0,  l},  choose  a 
random  x -f—  T>i  such  that  hc/  (x)  — m,  and  output  the  ciphertext 

• Dec:  on  input  a private  key  td  and  a ciphertext  y with  y G T>td, 
compute  X :=  f^^{y)  and  output  the  message  hc/(x). 


(a)  Argue  that  encryption  can  be  performed  in  polynomial  time. 

(b)  Prove  that  if  II  is  a family  of  trapdoor  permutations  and  hc  is  a 
hard-core  predicate  of  II,  then  this  construction  is  CPA-secure. 

10.17  Consider  the  following  protocol  for  two  parties  A and  B to  flip  a fair  coin 
(more  complicated  versions  of  this  might  be  used  for  Internet  gambling): 
(1)  a trusted  party  T publishes  her  public  key  pfc;  (2)  A chooses  a 
random  bit  6^,  encrypts  it  using  pfc,  and  announces  the  ciphertext  ca 
to  B and  T;  (3)  next,  B acts  symmetrically  and  announces  a ciphertext 
cb  7^  CA',  (4)  T decrypts  both  ca  and  cb,  and  the  parties  XOR  the 
results  to  obtain  the  value  of  the  coin. 
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(a)  Argue  that  even  if  A is  dishonest  (but  B is  honest),  the  final  value 
of  the  coin  is  uniformly  distributed. 

(b)  Assume  the  parties  use  El  Gamal  encryption  (where  the  bit  6 is 
encoded  as  the  group  element  g^).  Show  how  a dishonest  B can 
bias  the  coin  to  any  value  he  likes. 

(c)  Suggest  what  type  of  encryption  scheme  would  be  appropriate  to 
use  here.  Can  you  define  an  appropriate  notion  of  security  and 
prove  that  your  suggestion  achieves  this  definition? 


Chapter  11 

* Additiona.1  Public^-Key  Encryption 
Schemes 


In  the  previous  chapter  we  saw  some  examples  of  public-key  encryption  schemes 
based  on  the  RSA  and  decisional  Diffie- Heilman  problems.  Here,  we  explore 
additional  encryption  schemes  based  on  other  number-theoretic  problems  re- 
lated to  the  hardness  of  factoring.  The  schemes  discussed  in  this  chapter  are 
not  fundamentally  any  less  important  than  the  schemes  covered  in  the  previ- 
ous chapter  — although  RSA  and  El  Gamal  encryption  are  more  widely  used 
than  any  of  the  schemes  discussed  here  — rather,  the  schemes  we  discuss  in 
this  chapter  were  placed  here  because  they  require  a bit  more  number  theory 
than  we  have  covered  to  this  point.  Each  of  the  schemes  we  show  here  is  well 
worth  understanding,  at  least  from  a theoretical  standpoint; 

• The  Goldwasser-Micali  encryption  scheme,  based  on  the  hardness  of 
distinguishing  quadratic  residues  from  (certain)  quadratic  non-residues 
modulo  a composite,  was  the  first  scheme  proven  to  be  CPA-secure.  The 
cryptographic  assumption  on  which  the  scheme  relies  is  also  useful  in 
other  contexts. 

• The  Rabin  encryption  scheme  is  very  similar  to  the  RSA  encryption 
scheme,  but  with  one  crucial  difference:  it  is  possible  to  prove  that 
the  Rabin  encryption  scheme  is  CPA-secure  under  the  assumption  that 
factoring  is  hard.  Recall  that,  in  contrast,  hardness  of  the  RSA  problem 
(and  thus  the  security  of  any  encryption  scheme  based  on  RSA)  is  not 
known  to  follow  from  the  factoring  assumption. 

• The  Paillier  encryption  scheme  is  based  on  a cryptographic  assumption 
related  (but  not  known  to  be  identical)  to  factoring.  In  contrast  to 
Coldwasser-Micali  encryption  or  the  provably-secure  variant  of  Rabin 
encryption,  in  Paillier  encryption  the  message  is  not  encrypted  bit-by- 
bit;  thus,  the  efficiency  of  Paillier  encryption  is  comparable  to  that  of 
El  Gamal  encryption.  The  Paillier  encryption  scheme  also  has  other 
advantages  (like  the  fact  that  it  is  homomorphic)  that  we  will  discuss  in 
Section  11.3. 

Throughout  this  chapter,  we  let  p and  q denote  odd  primes,  and  let  N de- 
note a product  of  two  distinct  odd  primes.  We  will  use  the  Chinese  remainder 
theorem  and  thus  assume  familiarity  with  Section  7.1.5. 
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11.1  The  Goldwaisser-Micali  Encryption  Scheme 

We  begin  with  a discussion  of  the  Goldwasser-Micali  encryption  scheme. 
Before  we  can  present  the  scheme,  we  need  to  develop  a better  understanding 
of  quadratic  residues.  We  first  explore  the  easier  case  of  quadratic  residues 
modulo  a prime  p,  and  then  look  at  the  slightly  more  complicated  case  of 
quadratic  residues  modulo  a composite  N. 

11.1.1  Quadratic  Residues  Modulo  a Prime 

Given  a group  G,  an  element  y € G is  a.  quadratic  residue  if  there  exists  an 
a:  G G with  = y.  In  this  case,  we  call  x a square  root  of  y.  An  element 
that  is  not  a quadratic  residue  is  called  a quadratic  non-residue.  In  an  abelian 
group,  the  set  of  quadratic  residues  forms  a subgroup. 

In  the  specific  case  of  Z*,  we  have  that  ^ is  a quadratic  residue  if  there 
exists  an  x with  x^  — y mod  p.  We  begin  with  an  easy  observation. 

PROPOSITION  11.1  Let  p > 2 be  prime.  Every  quadratic  residue  in  Z* 
has  exactly  two  square  roots. 

PROOF  Let  ^ G Zp  be  a quadratic  residue.  Then  there  exists  an  a:  G Z* 
such  that  x'^  = ^modp.  Clearly,  {—x)^  = = y mod  p.  Furthermore, 

—X  ^ X mod  p : if  —x  = x mod  p then  2x  = 0 mod  p which  implies  p | 2x. 
Since  p is  prime,  this  would  mean  that  either  p \ 2 (which  is  impossible  since 
p > 2)  or  p|x  (which  is  impossible  since  0 < x < p).  So,  [xmodp]  and 
\—x  mod  p\  are  distinct  elements  of  Z*,  and  y has  at  least  two  square  roots. 

Let  x'  G Z*  be  a square  root  of  y.  Then  x^  — y — {x'Y  modp  implying 
that  x^  — {x')"^  = d mod  p.  Factoring  the  left-hand  side  we  obtain 

(x  — x')(a: -f- x')  = 0 mod  p , 

so  that  either  p\{x  — x')  or  p | (x  -|-  x').  In  the  first  case,  x'  — x mod  p and  in 
the  second  case  x'  = —x  mod  p,  showing  that  y indeed  has  only  [±x  mod  p ] 
as  square  roots.  I 

Let  sqp  : Z*  Z*  be  the  function  sqp(a:)  modp].  The  above 

proposition  shows  that  sqp  is  a two-to-one  function  when  p > 2 is  prime. 
This  immediately  implies  that  exactly  half  the  elements  of  Z*  are  quadratic 
residues.  We  denote  the  set  of  quadratic  residues  modulo  p by  QlZp,  and  the 
set  of  quadratic  non-residues  by  QAflZp.  We  have  just  seen  that  for  p > 2 
prime 

ISKpl  = ISVTCpI  = ^ . 
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Define  J'pix),  the  Jacobi  symbol  of  x modulo  p,  as  follows.^  Let  p > 2 be 
prime,  and  a:  G Z*.  Then 


Jp{x) 


(^f  J + 1 if  X is  a quadratic  residue  modulo  p 
\ — 1 if  X is  not  a quadratic  residue  modulo  p 


The  notation  can  be  extended  in  the  natural  way  for  any  x relatively  prime 
to  p by  defining  Jp{x)  = Jp{\x  mod  p]). 

Can  we  characterize  the  quadratic  residues  in  Z*  for  p > 2 prime?  We  begin 
with  the  fact  that  Z*  is  a cyclic  group  of  order  p — 1 (see  Theorem  7.53).  Let 
p be  a generator  of  Z*  This  means  that 


P-1  1 P-1  P-1  I 1 


(recall  that  p is  odd,  so  p — 1 is  even).  Squaring  each  element  in  this  list  and 
reducing  modulo  p — 1 in  the  exponent  (cf.  Corollary  7.15)  yields  a list  of  all 
the  quadratic  residues  in  Z*: 

Q^p  = {p°,  p^  p^ . . . , p°,  p^ . . . , 

(Note  that  each  quadratic  residue  appears  twice  in  this  list.)  We  see  that  the 
quadratic  residues  in  Z*  are  exactly  those  elements  that  can  be  written  as  p^ 
with  i G {0, . . . ,p  — 2}  an  even  integer. 

The  above  characterization  leads  to  a simple  way  to  compute  the  Jacobi 
symbol  and  thus  tell  whether  a given  element  x G Z*  is  a quadratic  residue 
or  not. 

PROPOSITION  11.2  Let  p > 2 be  a prime.  Then  fjp{x)  - x^^  mod  p. 


PROOF  Let  p be  an  arbitrary  generator  of  Z*.  If  x is  a quadratic  residue 
modulo  p,  our  earlier  discussion  shows  that  x = p^  for  some  even  integer  i. 
Writing  i = 2j  with  j an  integer  we  then  have 

x^  = {9^^)  ^ — P = 1 modp, 

and  so  x^~  = +1  = Jp{x)  mod  p as  claimed. 

On  the  other  hand,  if  x is  not  a quadratic  residue  then  x = p^  for  some  odd 
integer  i.  Writing  i = 2j  + 1 with  j an  integer  we  have 

x^  = (p^-^’’’^)  ^ ^ • P^  - 1 ■ p^^  = p^^  modp. 


is  also  sometimes  called  the  Legendre  symbol  of  x,  and  denoted  by  jCp(x)',  we  have 
chosen  our  notation  to  be  consistent  with  notation  introduced  later. 
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Now, 


2 


and  so  — ±1  mod  p since  [±1  modp]  are  the  two  square  roots  of  1 

(cf.  Proposition  11.1).  Since  g is  a generator,  it  has  order  p — 1 and  so 
g^~^  ^ 1 modp.  It  follows  that  = — 1 = Jp{x^  modp.  I 

Proposition  11.2  directly  gives  a polynomial-time  algorithm  for  testing  whether 
a given  element  a:  G Z*  is  a quadratic  residue  or  not. 


ALGORITHM  11.3 

Deciding  quadratic  residuosity  modulo  a prime 
Input:  A prime  p;  element  x G Zp 

Output:  J^p{x)  (or,  equivalently,  whether  x is  a quadratic  residue  or 
quadratic  non-residue) 

b :=  x^2  mod  p 

if  6 = 1 return  “quadratic  residue” 
else  return  “quadratic  non-residue” 


We  conclude  this  section  by  noting  a nice  multiplicative  property  of  quadratic 
residues  and  non-residues  modulo  p. 

PROPOSITION  11.4  Let  p > 2 be  a prime,  and  x,y  G Z*.  Then 

<Jp{xy^  — Sfp{x)  • <!Jp{y)- 


PROOF  Using  the  previous  proposition. 


p—  1 p—  1 p— 1 


Jp{xy)  = {xy)  2 = X 2 .y  2 = J^[x)  ■ Jp{y)  modp. 

Since  J'p{xy) , J^p{x) , Jp{y)  = ±1,  equality  holds  over  the  integers  as  well. 


COROLLARY  11.5  Let  p > 2 he  prime,  x,x'  G QlZp,  andy,y'  G QAfTZp. 
Then: 

1.  [xx'  modp]  G QLlp. 

2.  [yy'  modp]  G QlZp. 

3.  \xy  mod  p ] G QAfRp . 


1 
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11.1.2  Quadratic  Residues  Modulo  a Composite 

We  now  turn  our  attention  to  quadratic  residues  in  the  group  Char- 
acterizing the  quadratic  residues  modulo  N is  easy  if  we  use  the  results  of 
the  previous  section  in  conjunction  with  the  Chinese  remainder  theorem.  Re- 
call that  the  Chinese  remainder  theorem  says  that  Z^  ~ Z*  x Z*,  and  we 
let  y ^ (yp,yq)  denote  the  correspondence  guaranteed  by  the  theorem  (i.e., 
yp  — [y  mod  p]  and  pq  — [y  mod  g]).  The  key  observation  is: 

PROPOSITION  11.6  Let  N = pq  with  p,  q distinct  primes,  and  y e Z^ 
with  y ^ (yp,yq)-  Then  y is  a quadratic  residue  modulo  N if  and  only  if  Pp 
is  a quadratic  residue  modulo  p and  pq  is  a quadratic  residue  modulo  q. 

PROOF  If  ^ is  a quadratic  residue  modulo  N then,  by  definition,  there 
exists  an  X e Z^  such  that  = y mod  N.  Let  x ^ {xp,  Xq).  Then 

{Vp,  Vq)  ^ y ^ ^ {xp,  XqY  = ([xp  mod  p ] , [Xg  mod  g]), 

where  (xp,Xg)^  is  simply  the  square  of  element  (xp,Xg)  in  the  group  Z*  x Z*. 
We  have  thus  shown  that 

yp  — x^raod  p and  pq  — x^  mod  q (H-1) 

and  yp,Pq  are  quadratic  residues  (with  respect  to  the  appropriate  moduli). 

Conversely,  ii  y {Vp^Vq)  and  Pp,  pq  are  quadratic  residues  modulo  p and  q, 
respectively,  then  there  exist  Xp  G Z*  and  Xq  e Z*  such  that  Equation  (11.1) 
holds.  Let  x e be  such  that  x (xp,Xg).  Reversing  the  above  steps 
shows  that  x is  a square  root  of  y modulo  N . I 

The  above  proposition  characterizes  the  quadratic  residues  modulo  N . A 
careful  examination  of  the  proof  yields  another  important  observation:  each 
quadratic  residue  y e has  exactly  four  square  roots.  To  see  this,  let 
y (yp^yq)  be  a quadratic  residue  modulo  N and  let  Xp,Xq  be  square  roots 
of  Pp  and  Pq  modulo  p and  q,  respectively.  Then  the  four  square  roots  of  y 
are  given  by  the  elements  in  corresponding  to 

(Xp,  Xq),  ( Xp,  Xq),  (^Xp,  Xq),  ( Xp,  Xq).  (11.2) 

Each  of  these  is  a square  root  of  y since 

(±Xp,  ±Xq)^  = (^[(±Xp)^  modp],  [(±Xg)^  mod 

- ([a^p  modp],  [xg  mod  g])  - {pp,  Pq)  ^ y 

(where  again  the  notation  (-,-)^  refers  to  squaring  in  the  group  Zp  x Zg). 
The  Chinese  remainder  theorem  guarantees  that  the  four  elements  in  Equa- 
tion (11.2)  each  correspond  to  distinct  elements  of  since  Xp  and  — Xp  are 
unique  modulo  p (and  similar’ ly  for  Xg  and  — Xg  modulo  g). 
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Example  11.7 

Consider  (the  correspondence  given  by  the  Chinese  remainder  theorem  is 
tabulated  in  Example  7.25).  Element  4 is  a quadratic  residue  modulo  15  with 
square  root  2.  Since  2 (2,2),  the  other  square  roots  of  4 are  given  by; 

• (2,  [-2  mod  3])  = (2, 1)  ^ 7; 

• ([—2  mod  5],  2)  = (3,2)  8;  and 

• ([—2  mod  5],  [—2  mod  3])  = (3, 1)  ■«->  13. 

One  can  verify  that  7^  = 8^  = 13^  = 4 mod  15.  >v> 


Let  QIZn  denote  the  set  of  quadratic  residues  modulo  N.  Since  squaring 
modulo  is  a four-to-one  function,  we  immediately  see  that  exactly  1/4  of 
the  elements  of  are  quadratic  residues.  Alternately,  we  could  note  that 
since  y E is  a quadratic  residue  if  and  only  if  , yq  are  quadratic  residues, 
there  is  a one-to-one  correspondence  between  QIZn  and  QlZp  x QlZq.  Thus, 
the  fraction  of  quadratic  residues  modulo  N is 

\Q-Rn\  AQ.n^\-\QR,\  l 

|ZJ,|  \Xh\  (p-l)(«-l)  ,4’. 

in  agreement  with  the  above. 

In  the  previous  section,  we  defined  the  Jacobi  symbol  Jp{x)  for  p > 2 
prirne.  We  extend  the  definition  to  the  case  oi  N — pq  a product  of  distinct, 
odd  primes  as  follows.  For  any  x relatively  prime  to  N = pq, 

■ ■ K-. 

Jn{x)  Jp{x)  • Jq{x)  ■ 

= Jp{[x  raod  p])  ■ Jq{[x  mod  q]). 

We  define  as  the  set  of  elements  in  having  Jacobi  symbol  -|-1,  and 

define  analogously. 

We  know  from  Proposition  11.6  that  if  x is  a quadratic  residue  modulo  N , 
then  [x  mod  p]  and  [x  mod  q]  are  quadratic  residues  modulo  p and  q,  respec- 
tively; that  is,  Jp{x)  — <Jq{x)  = 4-1-  So  J’n{x)  = +1  and  we  see  that: 

If  X is  a quadratic  residue  modulo  N,  then  Un{x)  = 4-1. 

However,  J’n{x)  = 4-1  can  also  occur  when  J~p{x)  (x)  = —1;  that  is, 

when  both  [x  mod  p]  and  [x  mod  q]  are  not  quadratic  residues  modulo  p and  O', 
(and  so  x is  not  a quadratic  residue  modulo  N).  This  turns  out  to  be  useful 
for  the  Goldwasser-Micali  encryption  scheme,  and  we  therefore  introduce  the 
notation  QAf  for  the  set  of  elements  of  this  type.  That  is 
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z;  zn 


It  is  now  easy  to  prove  the  following  (see  Figure  11.1): 

PROPOSITION  11.8  Let  N = pq  with  p,q  distinct,  odd  primes.  Then: 
1.  Exactly  half  the  elements  o/Z"^  are  in  ■ 

QK-n  is  contained  in  ■ 

3.  Exactly  half  the  elements  of  are  in  QR-n  {the  other  half  are  in 

QA^7^+'). 


PROOF  We  know  that  J^n{x)  = +1  if  either  ffp{x)  = ffq{x)  = +1  or 
ffp{x)  = ffq{x)  = — 1.  We  also  know  (from  the  previous  section)  that  exactly 
half  the  elements  of  Z*  have  Jacobi  symbol  +1,  and  half  have  Jacobi  symbol 
— 1 (and  similarly  for  Zp.  Defining  Jp^i  Jq^  and  in  the  natural 

way,  we  thus  have: 

\Xn'\  = \Xp"  X X j-^\ 

^ (y-  1)  (g-  1)  (p  - 1)  (g  - 1)  ^ 4jN) 

2 2 2 2 2 ■ 

So  |v7)v^|  = \^*n  \ /2,  proving  that  half  the  elements  of  axe  in  • 

We  have  noted  earlier  that  all  quadratic  residues  modulo  N have  Jacobi 
symbol  +1,  showing  that  QR-n  Q <Jn^- 

Since  x 6 QR-n  if  and  only  if  Jp{x)  = Jq{x)  = +1,  we  have 


\QRn\  = IJ'/'  X = 


(p-  1)  {q  - 1) 

2 2 


4>{N) 


and  so  \QR-n\  = /^-  Since  QR-n  is  a subset  of  this  proves  that 

half  the  elements  of  are  in  QRn-  I 
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The  next  two  results  are  analogues  of  Proposition  11.4  and  Corollary  11.5. 

PROPOSITION  11.9  Let  N = pq  be  a product  of  distinct,  odd  primes, 
and  x,y  e Z%.  Then  JN(xy)  = Jn{x)  • Juiy)- 

PROOF  Using  the  definition  of  Jn{-)  and  Proposition  11.4,  we  have 

JN{xy)  = Jp{xy)  ■ Jq{xy)  = Jp{x)  ■ Jp{y)  • Jq{x)  ■ Jq{y) 

= Jp{x)  ■ Jq{x)  ■ Jp{y)  ■ Jq{y)  = Jn{x)  • JN{y)- 


COROLLARY  11.10  Let  N = pq  be  a product  of  distinct,  odd  primes, 
and  say  x,x'  € QTZn  o^'^d  y,y'  € . Then: 

1.  [xx'  mod  A/”]  6 QR-n- 

2.  [yy'  mod  AT]  e QRn- 

3.  [xy  mod  AT]  6 

PROOF  We  prove  the  final  claim;  proofs  of  the  others  are  similar.  Since 
X € QR-Ni  we  have  Jp{x)  — Jqix)  = +1.  Since  y E , we  have 

<^p{y)  = ’^q{y)  =.  Using  Proposition  11.4, 

Jp{xy)  = Jp{x)  ■ Jp{y)  = -1  and  Jq{xy)  = Jq{x).-  Jq{y)  = -1, 

and  so  J7}v(xy)  = +1.  But  xy  is  not  a quadratic  residue  modulo  N , since 
ffp{xy)  = —1  and  so  [xymodp]  is  not  a quadratic  residue  modulo  p.  We 
conclude  that  xy  E I 

In  contrast  to  Corollary  11.5,  it  is  not  true  that  y,y'  E ONR-n  implies 
yy'  6 QRn-  (Instead,  as  indicated  in  the  corollary,  this  is  only  guaranteed 
if  y,y'  E QN’R'l^ .)  For  example,  we  could  have  ffp{y)  = +1,  ffq{y)  = — 1 
and  Jp{y')  = -1,  Jqijj')  = +1,  so  Jp{yy')  = Jq{yy')  = —1  and  yy'  is  not  a 
quadratic  residue  even  though  J'N^yy')  = +1. 

11.1.3  The  Quadratic  Residuosity  Assumption 

In  Section  11.1.1,  we  showed  an  efficient  algorithm  for  deciding  whether  a 
given  input  x is  a quadratic  residue  modulo  a prime  p.  Can  we  adapt  the 
algorithm  to  work  modulo  a composite  number  N?  Proposition  11.6  gives  an 
easy  solution  to  this  problem  provided  the  factorization  of  N is  known.  This 
is  written  in  algorithmic  form  below  in  Algorithm  11.11. 
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ALGORITHM  11.11 

Deciding  quadratic  residuosity  modulo  a composite 
of  known  factorization 

Input:  Composite  N = pg;  the  factors  p and  g;  element  x G 
Output:  A decision  as  to  whether  x G QTZn 

compute  jT’p(x)  and  Sfq{x) 

if  jTp(x)  = Sfq{x)  — +1  return  “quadratic  residue” 
else  return  “quadratic  non-residue” 


(As  always,  we  assume  the  factors  of  N are  distinct  odd  primes.)  A simple 
modification  of  the  above  algorithm  allows  for  computing  when  the 

factorization  of  N is  known. 

When  the  factorization  of  N is  unknown,  however,  there  is  no  known 
polynomial-time  algorithm  for  deciding  whether  a given  x is  a quadratic 
residue  modulo  N or  not.  Somewhat  surprisingly,  a polynomial- time  algo- 
rithm is  known  for  computing  J7}v(x)  without  the  factorization  of  N . (Al- 
though the  algorithm  itself  is  not  that  complicated,  its  proof  of  correctness  is 
beyond  the  scope  of  this  book  and  we  therefore  do  not  present  the  algorithm 
at  all.  The  interested  reader  can  refer  to  the  references  listed  at  the  end  of  this 
chapter.)  This  leads  to  a partial  test  of  quadratic  residuosity:  if,  for  a given 
input  X,  it  holds  that  J7}v(x)  = —1,  then  x cannot  possibly  be  a quadratic 
residue.  (See  Proposition  11.8.)  This  test  says  nothing  in  case  J7at(x)  = +1, 
and  it  is  widely  believed  that  there  does  not  exist  any  polynomial-time  .al- 
gorithm for  deciding  quadratic  residuosity  in  this  case  (that  performs  better 
than  random  guessing)  . 

We  now  formalize  this  assumption.  Let  Gen  Modulus  be  a polynomial- time 
algorithm  that,  on  input  1”,  outputs  (N,p,q)  where  N — pq,  and  p and  q are 
n-bit  primes  except  with  probability  negligible  in  n. 

DEFINITION  11.12  We  say  deciding  quadratic  residuosity  is  hard  relative 
to  GenModulus  if  for  all  probabilistic  polynomial-time  algorithms  A there  exists 
a negligible  function  negl  such  that 


Pr[^(AT,  qr)  = 1]  - Pr[.4(iV,  qnr)  = i; 


< negl(n). 


where  in  each  case  the  probabilities  are  taken  over  the  experiment  in  which 
GenModulus(l”)  is  run  to  give  {N,p,q),  qr  is  chosen  at  random  from  QTZn , 
and  qnr  is  chosen  at  random  from  . 

It  is  crucial  in  the  above  that  qnr  is  chosen  from  rather  than 

QAf  TZn]  if  q n r were  chosen  from  Qj\f TZ n then  with  probability  2/3  it  would  be 
the  case  that  J7}v  (x)  = — 1 and  so  distinguishing  qnr  from  a random  quadratic 
residue  would  be  easy.  (Recall  that  J/y  (x)  can  be  computed  efficiently  even 
without  the  factorization  of  A".) 
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The  quadratic  residuosity  assumption  is  simply  the  assumption  that  there 
exists  a GenModulus  relative  to  which  deciding  quadratic  residuosity  is  hard. 
It  is  easy  to  see  that  if  deciding  quadratic  residuosity  is  hard  relative  to 
GenModulus,  then  factoring  is  hard  relative  to  GenModulus  as  well. 

11.1.4  The  Goldwasser-Micali  Encryption  Scheme 

The  preceding  section  immediately  suggests  a public-key  encryption  scheme 
for  single-bit  messages  based  on  the  quadratic  residuosity  assumption: 

• The  public  key  is  a modulus  N,  and  the  secret  key  is  the  factorization 
of  N. 

• The  encryption  of  the  bit  ‘0’  is  a random  quadratic  residue,  and  the 
encryption  of  the  bit  ‘1’  is  a random  quadratic  non-residue  with  Jacobi 
symbol  J-l. 

• The  receiver  can  decrypt  a ciphertext  c with  its  secret  key  by  using  the 
factorization  of  N to  decide  whether  c is  a quadratic  residue  or  not. 

Security  of  this  scheme  in  the  sense  of  Definition  10.3  follows  almost  triv- 
ially from  the  difficulty  of  the  quadratic  residuosity  problem  as  formalized  in 
Definition  11.12. 

One  thing  missing  from  the  above  description  is  a specification  of  how  the 
sender,  who  does  not  know  the  factorization  of  N,  can  choose  a random 
element  of  QTZn  (in  case  it  wants  to  encrypt  a 0)  or  a random  element  of 
(in  case  it  wants  to  encrypt  a 1).  The  first  of  these  turns  out  to  be 
easy  to  do,  while  the  second  requires  some  ingenuity. 

Choosing  a random  quadratic  residue.  Choosing  a random  element 
y G QR^n  is  easy:  simply  pick  a random  x <—  Xy  (see  Appendix  B.2.4) 
and  set  y :=  mod  N . Clearly  y G QTZn-  The  fact  that  y is  uniformly 

distributed  in  QTZn  follows  from  the  facts  that  squaring  modulo  is  a 4-to-l 
function  (see  Section  11.1.2)  and  that  x is  chosen  at  random  from  In 

more  detail,  fix  any  y G QRn  and  let  us  compute  the  probability  that  y — y 
after  the  above  procedure.  Denote  the  four  square  roots  of  y by  ±:e,±:e'. 
Then: 


Pr[^  = y\  — Pr[x  is  a square  root  of  y] 
= Pr  [x  G {ix,  -^x']] 


4 _ 1 


Since  the  above  holds  for  every  y G QR-Nj  we  see  that  y is  distributed  uni- 
formly in  QTIn- 
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Choosing  a random  element  of  . In  general,  it  is  not  known  how 

to  choose  a random  element  of  if  the  factorization  of  N is  unknown. 

What  saves  us  in  the  present  context  is  that  the  receiver  who  generates  the 
keys  can  help.  Specifically,  we  modify  the  scheme  as  described  above  so  that 
the  receiver  additionally  chooses  a random  z ^ and  includes  z as 

part  of  its  public  key.  (This  is  easy  for  the  receiver  to  do  since  it  knows 
the  factorization  of  N]  see  Exercise  11.3.)  The  sender  can  choose  a random 
element  y QM by  choosing  a random  x <r-  (as  above)  and  setting 
y :=  [z  • mod  A^].  It  follows  from  Corollary  11.10  that  y G . We 

leave  it  as  an  exercise  to  show  that  y is  uniformly  distributed  in  QM ; we 
do  not  use  this  fact  directly  in  the  proof  of  security  given  below. 

We  give  a complete  description  of  the  Goldwasser-Micali  encryption  scheme, 
implementing  the  above  ideas  in  Construction  11.13. 


CONSTRUCTION  11.13 

Let  GenModulus  be  a polynomial-time  algorithm  that,  on  input  1",  out- 
puts {N,p,q)  where  N = pq,  and  p and  q are  n-bit  primes  except  with 
probability  negligible  in  n.  Construct  a public-key  encryption  scheme  . as. 
follows: 

• Gen:  on  input  1”,  run  GenModulus(l”)  to  obtain  {N,p,q),  and 
choose  a random  z •«—  QAf7Z~ji/' . The  public  key  is  pk  = {N,  z)'  and 
the  private  key  is  sk  = (p,  q) . 

• Enc:  on  input  a public  key  pk  = (A^,  z)  and  a message  m € {0, 1}, 
choose  a random  x •«—  and  output  the  ciphertext 

c :=  [z^  • mod  A^]. 

• Dec:  on  input  a private  key  sk  = (p,  g)  and  a ciphertext  c,  de- 
termine whether  c is  a quadratic  residue  modulo  N using,  e.g., 
Algorithm  11.11.  If  c is  a quadratic  residue,  output  0;  otherwise, 
output  1. 

The  Goldwasser-Micali  encryption  scheme. 


THEOREM  11.14  If  the  quadratic  residuosity  problem  is  hard  relative 
to  GenModulus,  then  the  Goldwasser-Micali  encryption  scheme  has  indistin- 
guishable encryptions  under  a chosen-plaintext  attack. 


PROOF  Let  n denote  the  Goldwasser-Micali  encryption  scheme.  We  prove 
that  n has  indistinguishable  encryptions  in  the  presence  of  an  eavesdropper; 
by  Theorem  10.10  this  implies  that  it  is  CPA-secure. 
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Let  ^ be  a probabilistic  polynomial- time  adversary,  and  define 

e(n)1l:fpr|PubKXn(n)  = l]. 

Consider  the  following  PPT  adversary  D that  attempts  to  solve  the  quadratic 
residuosity  problem  relative  to  Gen  Mod  ulus: 

Algorithm  D: 

The  algorithm  is  given  N and  2 as  input  and  its  goal  is  to  deter- 
mine if  z e QTZ AT  or  z e QJ\f . 

• Set  pk  = (N,z)  and  run  A{pk)  to  obtain  two  single-bit  mes- 
sages mo,  mi . 

• Choose  a random  bit  h and  a random  x ■«—  and  then  set 
c [z"^^  • mod  N], 

• Give  the  ciphertext  c to  A and  obtain  an  output  bit  b'.  If 
b'  = b,  output  1;  otherwise,  output  0. 

Let  us  analyze  the  behavior  of  D.  There  are  two  cases  to  consider: 

Case  1:  Say  the  input  to  D was  generated  by  running  GenModulus(l^)  to 
obtain  (N,p,q),  and  then  choosing  a random  z Then  D runs 

A on  a public  key  constructed  exactly  as  in  II,  and  we  see  that  in  this  case 
the  view  of  A when  run  as  a subroutine  by  D is  distributed  identically  to  A ’s 
view  in  experiment  PubK^^n(n).  Since  D outputs  1 exactly  when  the  output 
b'  of  A is  equal  to  b,  we  have  that 

Pr[L>(iV,qnr)  = 1]  = Pr[PubK^)'n(n)  = l]  = s(n) , 

where  qnr  represents  a random  element  of  as  in  Definition  11.12. 

Case  2:  Say  the  input  to  D was  generated  by  running  GenModulus(l’^)  to 
obtain  (N,p,q),  and  then  choosing  a random  z QTZn-  We  claim  that  the 
view  of  A in  this  case  is  independent  of  the  bit  b.  To  see  this,  note  that  the 
ciphertext  c given  to  A is  a random  quadratic  residue  regardless  of  whether 
a 0 or  a 1 is  encrypted: 

• When  a 0 is  encrypted,  c = mod  N]  for  a random  x -s—  and  c is 
a random  quadratic  residue. 

• When  a 1 is  encrypted,  c = [z  ■ x“^  mod  N]  for  a random  a;  Z^.  Let 

X mod  N],  and  note  that  x is  a uniformly-distributed  element 

of  the  group  QTZn.  Since  z e QJZn,  we  can  apply  Lemma  10.20  to 
conclude  that  c is  uniformly  distributed  in  QTZn  as  well. 

Since  A’s  view  is  independent  of  6,  the  probability  that  b'  = b \n  this  case  is 
exactly  That  is, 

Pr[D(A,qr)  = l]  = i, 

where  qr  represents  a random  element  of  QTZn  as  in  Definition  11.12. 
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Thus, 


Pr[T>(A^,qr)  = 1]  - Pr[T>(iV,  qnr)  = 1]  = e{n) 


By  the  assumption  that  the  quadratic  residuosity  problem  is  hard  relative  to 
GenModulus,  there  exists  a negligible  function  negl  such  that 

|g:(n)  — II  < negl(n) 

and  so  e{n)  < | + negl(n),  completing  the  proof.  | 


11.2  The  Rabin  Encryption  Scheme 

Security  of  the  Rabin  encryption  scheme  is  based  on  the  fact  that  it  is  easy 
to  compute  square  roots  modulo  a composite  number  N if  the  factorization 
of  N is  known,  yet  it  appears  difficult  to  compute  square  roots  modulo  N 
when  the  factorization  of  N is  unknown.  In  fact,  as  we  will  see,  computing 
square  roots  modulo  N is  equivalent  to  (i.e.,  it  is  equally  hard  as)  factor- 
ing N.  In  other  words,  the  factoring  assumption  implies  the  difficulty  of 
computing  square  roots  modulo  a composite  (generated  appropriately).  Due 
to  this  equivalence,  a version  of  the  Rabin  encryption  scheme  can  be  shown 
to  be  CPA-secure  based  solely  on  the  assumption  that  factoring  is  hard.  This 
makes  the  Rabin  encryption  scheme  very  attractive,  at  least  from  a theoreti- 
cal point  of  view.  An  analogous  result  is  not  known  for  RSA  encryption,  and 
the  RSA  problem  may  potentially  be  easier  than  factoring.  The  same  is  true 
of  the  Goldwasser-Micali  encryption  scheme,  and  it  may  be  possible  to  decide 
quadratic  residuosity  modulo  N without  factoring  N. 

Interestingly,  the  Rabin  encryption  scheme  is  (superficially,  at  least)  very 
similar  to  the  RSA  encryption  scheme  yet  has  the  advantage  of  being  based 
on  a potentially  weaker  assumption.  The  fact  that  RSA  is  more  widely-used 
than  the  former  seems  to  be  due  more  to  historical  factors  than  technical  ones; 
we  discuss  this  further  at  the  eiid  of  this  section. 

11.2.1  Computing  Modular  Square  Roots 

The  Rabin  encryption  scheme  requires  the  receiver  to  compute  modular 
square  roots,  and  so  in  this  section  we  explore  the  algorithmic  complexity  of 
this  problem.  We  first  show  an  efficient  algorithm  for  computing  square  roots 
modulo  a prime  p,  and  then  extend  this  algorithm  to  enable  computation  of 
square  roots  modulo  a composite  N of  known  factorization.  The  reader  willing 
to  accept  the  existence  of  these  algorithms  on  faith  can  skip  to  the  following 

I 
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section,  where  we  show  that  computing  square  roots  modulo  a composite  N 
with  unknown  factorization  is  equivalent  to  factoring  N . 

Let  p be  an  odd  prime.  Computing  square  roots  modulo  p is  relatively 
simple  when  p = 3 mod  4,  and  much  more  involved  when  p = 1 mod  4.  (The 
easier  case  is  all  we  need  for  the  Rabin  encryption  scheme  as  presented  in 
Section  11.2.3;  we  include  the  second  case  for  completeness.)  In  both  cases, 
we  show  how  to  compute  one  of  the  square  roots  of  a quadratic  residue  a E Z* . 
Note  that  if  x is  one  of  the  square  roots  of  a,  then  \—x  mod  p]  is  the  other. 

We  tackle  the  easier  case  first.  Say  p = 3 mod  4,  meaning  we  can  write 
p = 42  + 3 for  some  integer  i.  Since  a E Z*  is  a quadratic  residue,  we  have 

= 1 = a^~  mod  p (see  Proposition  11.2).  Multiplying  both  sides  by  a 
we  obtain 

a = mod  p , 

and  so  mod  p is  a square  root  of  a.  That  is,  we  can  compute  a 

square  roots  of  a modulo  p as  x :=  [a~~^  mod  p]. 

It  is  crucial  above  that  (p+  l)/2  is  even  because  this  ensures  that  (p  + l)/4 
is  an  integer  (this  is  necessary  in  order  for  a 4 mod  p to  be  well-defined; 
recall  that  the  exponent  must  be  an  integer).  This  approach  does  not  succeed 
when  p = 1 mod  4,  in  which  case  p + 1 is  an  integer  that  is  not  divisible  by  4. 

When  p = 1 mod  4 we  proceed  slightly  differently.  Motivated  by  the  above 
approach,  we  might  think  to  search  for  an  odd  integer  r for  which  it  holds 
that  0^  = 1 mod  p.  Then,  as  above,  = a mod  p and  a^~  mod  p would 
be  a square  root  of  a with  (r  + l)/2  an  integer.  Though  we  will  not  be  able 
to  do  this,  we  can  do  something  just  as  good:  we  will  find  an  odd  integer  r 
along  with  an  element  b E Z*  and  an  even  integer  r'  such  that 

• 6*'  = 1 mod  p. 

Then  •b'^'  = a mod  p and  • b^  mod  p is  a square  root  of  a (with  the 
exponents  (r  -H  l)/2  and  r' / 2 being  integers). 

Example  11.15 

Take  p = 29  and  a = 22.  Then  22^  • 2^'^  = 1 mod  29,  and  so  we  have  that 
15  = 22^^+^)/^  • 2^"^/^  = 22"^  • 2^  mod  29  is  a square  root  of  22  modulo  29.  The 
other  square  root  is,  of  course,  —15  = 14  mod  29.  -(> 

We  now  describe  the  general  approach  to  finding  r,  6,  and  r'  with  the  stated 
properties.  Let  = 2^  • m where  i,  m are  integers  with  i > 1 and  m odd.^ 
Since  a is  a quadratic  residue,  we  know  that 

= 1 mod  p.  (H-3) 


^The  integers  I and  m can  be  computed  easily  by  taking  out  factors  of  2 from  (p  — l)/2. 
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This  means  that  modp  is  a square  root  of  1.  The  square 

roots  of  1 modulo  p are  ±1  mod  p,  so  we  know  that  oS  = ±1  modp.  If 
0,2  m _ Y mod  p,  we  are  in  the  same  situation  as  in  Equation  (11.3)  except 
that  the  exponent  of  a is  now  divisible  by  a smaller  power  of  2.  This  is  progress 
in  the  right  direction:  if  we  can  get  to  the  point  where  the  exponent  of  a is 
not  divisible  by  any  power  of  2 (as  would  be  the  case  here  if  ^ = 1),  then  the 
exponent  of  a is  odd  and  we  can  compute  a square  root  as  discussed  earlier. 
We  give  an  example,  and  discuss  in  a moment  how  to  deal  with  the  case  when 
^2^  modp. 


Example  11.16 

Take  p = 29  and  a = 7.  Since  7 is  a quadratic  residue  modulo  29,  we  have 
7^^^  mod  29  = 1 and  we  know  that  7^  mod  29  is  a square  root  of  1.  In  fact, 

7^  = 1 mod  29, 

and  the  exponent  7 is  odd.  So  7^^+^^/^  = 7“^  = 23  mod  29  is  a square  root  of  7 
modulo  29.  <C> 

To  summarize  where  things  stand:  we  begin  with  = 1 mod  p and  we 

pull  factors  of  2 out  of  the  exponent  of  a until  one  of  two  things  happen:  either 

£' 

a^  = 1 mod  p,  or  — 1 mod  p for  some  P < i.  In  the  first  case,  since  m 

is  odd  we  can  immediately  compute  a square  root  of  a as  in  Example  11.16. 
In  the  second  case,  we  will  “restore”  the  +1  on  the  right-hand  side  of  the 
equation  by  multiplying  each  side  of  the  equation  by  —1  modp.  However, 
as  motivated  at  the  beginning  of  this  discussion,  we  want  to  achieve  this  by 
multiplying  the  left-hand  side  of  the  equation  by  some  element  b raised  to  an 
even  power.  If  we  have  available  a quadratic  non-residue  b ^ Z*,  this  is  easy; 

since  b^  ^ = b ^ =— 1 mod  p we  have 

. ^2^m  _ mod  p. 

We  can  now  proceed  as  before,  taking  a square  root  of  the  entire  left- 
hand  side  to  reduce  the  largest  power  of  2 dividing  the  exponent  of  o,  and 
multiplying  by  iP  (as  needed)  so  theTight-hand  side  is  always  4-1.  Observe 
that  the  exponent  of  b is  always  divisible  by  a larger  power  of  2 than  the 
exponent  of  a (and  so  we  can  indeed  take  square  roots  by  dividing  by  2 in 
both  exponents) . We  continue  performing  these  steps  until  the  exponent  of  a is 
odd,  and  can  then  compute  a square  root  of  a as  described  earlier.  Pseudocode 
for  this  algorithm,  which  gives  another  way  of  viewing  what  is  going  on,  is 
given  below  in  Algorithm  11.17.  It  can  be  verified  that  the  algorithm  runs  in 
polynomial  time  given  a quadratic  non-residue  b. 

One  point  we  have  not  yet  addressed  is  how  to  find  b in  the  first  place. 
Actually,  no  deterministic  polynomial-time  algorithm  for  finding  a quadratic 
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ALGORITHM  11.17 

Computing  square  roots  modulo  a prime 


Input:  Prime  p;  quadratic  residue  a E 1.p 
Output:  A square  root  of  a 


case  p = 3 mod  4: 

y>“j“  1 

return  [a  4 modp] 
case  p = 1 mod  4: 

let  6 be  a quadratic  non- residue  modulo  p 
compute  i and  m odd  with  2^  • m = 
r :=  2^  • m,  r'  :=  0 
for  i = £ to  I { 

/ 

/*  maintain  the  invariant  a''  ■ =1  mod  p */ 

r :=  r/2,  r'  :=  r' /2 
if  • 6^  = — 1 mod  p 
r'  :=  r'  + 2^  • m 


} 

/*  now  r = m,  r'  is  even,  and 


return 


\a^  -62  mod  p 


= 1 mod  p 


*/ 


non-residue  modulo  p is  known.  Fortunately,  it  is  easy  to  find  a quadratic 
non-residue  probabilistically:  simply  choose  random  elements  of  Z*  until  a 
quadratic  non-residue  is  found.  This  works  because  exactly  half  the  elements 
of  Z*  are  quadratic  non-residues,  and  because  a polynomial-time  algorithm 
for  deciding  quadratic  residuosity  modulo  a prime  is  known  (see  Section  11.1.1 
for  proofs  of  both  these  statements).  This  means  that  the  algorithm  we  have 
shown  is  actually  randomized  when  p = l .mod  4;  a deterministic  polynomial- 
time algorithm  for  computing  square  roots  in  this  case  is  not  known. 


Example  11.18 

Here  we  consider  the  “worst  case,”  when  taking  a square  root  always  gives  — 1. 
Let  a E Z*  be  the  element  whose  square  root  we  are  trying  to  compute;  let 
6 E Z*  be  a quadratic  non-residue;  and  let  — 2^  ■ m where  m is  odd. 

3 3^2^ 

In  the  first  step,  we  have  = 1 modp.  Since  d^  a?  ^ \ and  the 

square  roots  of  1 are  ±1,  this  means  that  = ±1  modp;  assuming  the 

worst  case,  — 1 modp.  So,  we  multiply  by  6~2~  = 6^  m _ j^od  p 

to  obtain 

a2'm  . 523m  ^ ^ ^ 

In  the  second  step,  we  observe  that  is  a square  root  of  1;  again 

assuming  the  worst  case,  we  thus  have  = — 1 mod  p.  Multiplying 

by  &2  to  “correct”  this  gives 

^2m  . ^ ^ ^ 
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In  the  third  step,  taking  square  roots  and  assuming  the  worst  case  (as 
above)  we  obtain  ■ 6^"^  • 6^  — 1 modp;  multiplying  by  the  “correction 

factor”  ^ we  get 

. ^2m  . ^2^ra  . ^ ^ ^ 

We  are  now  where  we  want  to  be.  To  conclude  the  algorithm,  multiply  both 
sides  by  a to  obtain 

^m+l  . ^2m+22m+23m  _ ^ ^ 

Since  m is  odd,  (m  + l)/2  is  an  integer  and  ■ 5"^+2m+2^m  p is  a 

square  root  of  o.  <0 


Example  11.19 

Here  we  work  out  a concrete  example.  Let  p = 17,  o = 4,  and  6 = 3.  Note 
that  here  (p  — l)/2  = 2^  and  m = 1. 

We  begin  with  4^  = 1 mod  17.  So  4^^  should  be  equal  to  ±1  mod  17;  by 
calculation,  we  see  that  4^  = 1 mod  17  and  so  no  correction  term  is  needed 
in  this  step.  'v  / 

Continuing,  we  know  that  4^  is  a square  root  of  1 and  sVunust^e  equal 
to  ±1  mod  17;  calculation  gives  4^  = — 1 mod  17.  Multiplying  by  3^  gives 
42 . 32^  1 mod  17. 

Finally,  we  consider  4-3“  =1  mod  17.  We  are  now  almost  done:  multi- 
plying both  sides  by  4 gives  4^-3^  =4  mod  17  and  so  4 • 3^  = 2 mod  17  is  a 
square  root  of  4.  0 


Computing  Square  Roots  Modulo  N 

It  is  not  hard  to  see  that  the  algorithm  we  have  shown  for  computing  square 
roots  modulo  a prime  can  be  extended  easily  to  the  case  of  computing  square 
roots  modulo  a composite  N = pq  oi  known  factorization.  Specifically,  let 
a G be  a quadratic  residue  with  a ^ (ap,aq)  via  the  Chinese  remainder 
theorem.  Computing  the  square  roots  Xp,Xq  of  Op,  Oq  modulo  p and  q,  respec- 
tively, gives  a square  root  (xp,Xq)  of  o_  (see  Section  11.1.2).  Given  Xp  and  Xq, 
the  representation  x corresponding  to  (xp,Xq)  can  be  recovered  as  discussed 
in  Section  7.1.5.  Writing  out  these  steps  explicitly:  to  compute  a square  root 
of  a modulo  an  integer  N = pq  oi  known  factorization,  do: 

• Compute  Op  :=  [a  mod  p]  and  Oq  :=  [o  mod  q]. 

• Using  Algorithm  11.17,  compute  a square  root  Xp  of  Op  modulo  p and  a 
square  root  Xq  of  Og  modulo  q 
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• Convert  from  the  representation  {xp,Xq)  G Z*  x Z*  to  a:  G Z^  with 
X {xp,Xq).  Output  X,  which  is  a square  root  of  a modulo  N. 

It  is  easy  to  modify  the  algorithm  so  that  it  returns  all  four  square  roots  of  a. 

11.2.2  A Trapdoor  Permutation  Based  on  Factoring 

We  have  seen  that  computing  square  roots  modulo  N can  be  carried  out 
in  polynomial  time  if  the  factorization  of  N is  known.  We  show  here  that,  in 
contrast,  computing  square  roots  modulo  a composite  N of  unknown  factor- 
ization is  as  hard  as  factoring  N . 

More  formally,  let  GenModulus  be  a polynomial-time  algorithm  that,  on 
input  1'^,  outputs  (N,p,q)  where  N = pq  and  p and  q are  n-bit  primes  except 
with  probability  negligible  in  n.  Consider  the  following  experiment  for  a given 
algorithm  A and  parameter  n: 

The  square  root  computation  experiment  SQR^  GenModuius(^)^ 

1.  Run  GenModulus(l”)  to  obtain  output  N,p,q. 

2.  Choose  y <—  QIZn  ■ 

3.  A is  given  {N^y),  and  outputs  x G Z^. 

4-  The  output  of  the  experiment  is  defined  to  be  1 ifx^  = y mod  N , 
and  0 otherwise. 

DEFINITION  11.20  We  say  that  computing  square  roots  is  hard  relative  to 
GenModulus  if  for  all  probabilistic  polynomial- time  algorithms  A there  exists 
a negligible  function  negl  such  that 

Pr[S,QR^,GenModuius(^)  = 1]  < negl(n). 

It  is  easy  to  see  that  if  computing  square  roots  is  hard  relative  to  GenModulus 
then  factoring  must  be  hard  relative  to  GenModulus  too:  if  moduli  N output 
by  GenModulus  could  be  factored  easily  then  it  would  be  easy  to  compute 
square  roots  modulo  N by  first  factoring  N and  then  applying  the  algorithm 
discussed  in  the  previous  section.  Our  aim  now  is  to  show  the  converse:  that  if 
factoring  is  hard  relative  to  GenModulus  then  so  is  the  problem  of  computing 
square  roots.  We  emphasize  again  that  such  a result  is  not  known  for  the 
RSA  problem  or  the  problem  of  deciding  quadratic  residuosity. 

The  key  is  the  following  lemma,  which  says  that  two  “unrelated”  square 
roots  of  any  element  in  Z^  can  be  used  to  factor  N. 

LEMMA  11.21  Let  N = pq  with  p,q  distinct,  odd  primes.  Given  x,x 
such  that  x^  = y = x^  mod  N but  x A mod  N , it  is  possible  to  factor  N 

in  time  polynomial  in  HA'I]. 
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PROOF  We  claim  that  either  gcd(A^,  x + x)  or  gcd( x — x)  is  equal  to 
one  of  the  prime  factors  of  N A Since  gcd  computations  can  be  carried  out  in 
polynomial  time  (see  Appendix  B.1.2),  this  proves  the  lemma. 

If  x^  = mod  N then 

0 = x^  — x^  = (x  — x)  • (x  + x)  mod  A”, 

and  so  N \ (x  — x)  (x  + x) . Then  p \ (x  — x)  (x  + x)  and  so  p divides  one  of  these 
terms.  Say  p\  (x  + x)  (the  proof  proceeds  similarly  if  p | (x  — x)).  If  g | (x  + x) 
then  N \ (x  + x),  but  this  cannot  be  the  case  since  x ^ —x  mod  N.  So  g/x  + x 
and  gcd( A,  x + x)  = p.  I 


An  alternative  way  of  proving  the  above  is  to  look  at  what  happens  in  the 
Chinese  remaindering  representation.  Say  x (xp,  Xq).  Then,  because  x 
and  X are  square  roots  of  the  same  value  y,  we  know  that  x corresponds  to 
either  (— Xp,  Xg)  or  (xp,  —Xg).  (It  cannot  correspond  to  (xp,  Xg)  or  (— Xp,  —Xg) 
since  the  first  corresponds  to  x while  the  second  corresponds  to  [— x mod  A], 
and  both  possibilities  are  ruled  out  by  the  assumption  of  the  lemma.)  Say 
X ^ {—Xp,  Xg).  Then 

[x  + x mod  A]  (xp,  Xg)  + (— Xp,  x^)  = (0,  [2xq  mod  g]), 

and  we  see  that  x + x = 0 mod  p while  x + x 7^  0 mod  g . It  follows  that 
gcd(A,  X + x)  = p,  a factor  of  A. 

We  can  now  prove  the  main  result  of  this  section. 

THEOREM  11.22  If  factoring  is  hard  relative  to  GenModuluS;  then  com- 
puting square  roots  is  hard  relative  to  GenModulus. 

PROOF  Let  ^ be  a probabilistic  polynomial-time  algorithm,  and  define 

e{n)  Pr  [SQR^^GenModulus(^)  = 1]  • 

Consider  the  following  probabilistic  polynomial-time  algorithm  Afact  that  at- 
tempts to  factor  moduli  output  by  GenModulus: 

Algorithm  Afact: 

The  algorithm  is  given  a modulus  A as  input. 

• Choose  random  x ■«—  and  compute  y :=  [x^  mod  A]. 

• Run  A{N,y)  to  obtain  output  x. 


^In  fact,  both  of  these  are  equal  to  one  of  the  prime  factors  of  N but  it  is  easier  to  prove 
what  we  have  claimed  and  this  is  anyway  sufficient. 
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• If  = y mod  N and  x ^ itx  mod  N ^ then  factor  N using 
Lemma  11.21. 

By  Lemma  11.21,  we  know  that  v4fact  succeeds  in  factoring  N exactly  when 
X ^ ±x  mod  N and  aP  = y mod  N.  That  is, 

Pr[FactOMf^^t,GenModulus(^)  = l] 

= Pr  [x  7^  ±x  mod  N f\3p  = y mod 

= Pr  [x  7^  ±x  mod  N \ x^  = y mod  A’’]  • Pr  \xP  = y mod  A”]  , (H-4) 

where  the  above  probabilities  all  refer  to  experiment  Factor_4f^_,^^GenModuius(^) 
(refer  to  Section  7.2.3  for  a description  of  this  experiment).  In  the  experiment, 
the  modulus  N given  as  input  to  -4fact  is  generated  by  GenModulus(l’^),  and  y 
is  a random  quadratic  residue  modulo  N since  x was  chosen  uniformly  at  ran- 
dom from  7j*^  (see  Section  11.1.4).  So  the  view  of  A when  run  as  a subroutine 
by  v4fact  is  distributed  exactly  as  ^’s  view  in  experiment  SQR^^GenModuius(^)- 
Therefore, 

Pr  [3P  = y mod  N]  = Pr  [SQR^,GenModuius(^)  = l]  = ^(^)-  (H-5) 

Conditioned  on  the  value  of  the  quadratic  residue  y used  in  experiment 
Factor_4f^^^^GenModuius(^))  the  value  x is  equally  likely  to  be  any  of  the  four 
possible  square  roots  of  y.  This  means  that  from  the  point  of  view  of  algorithm 
A (being  run  as  a subroutine  by  ^fact),  x is  equally  likely  to  be  each  of  the 
four  square  roots  of  y.  This  in  turn  means  that,  conditioned  on  A outputting 
some  square  root  x of  y,  the  probability  that  x = ±x  mod  N is  exactly  1/2. 
(We  stress  that  we  do  not  make  any  assumption  about  how  x is  distributed 
among  the  square  roots  of  y,  and  in  particular  are  not  assuming  here  that  A 
outputs  a random  square  root  of  y.  Rather  we  are  using  the  fact  that  x is 
uniformly  distributed  among  the  square  roots  oi  y.)  That  is, 

Pr  [x  7^  ±x  mod  A | Sp  — y mod  A]  = i (H-6) 

Combining  Equations  (11.4)-(11.6),  we  see  that 

Pr[Fsctor_4j^^^ ^GenModulus(^)  ~ ~ 2 

Since  factoring  is  hard  relative  to  GenModulus,  there  exists  a negligible  func- 
tion negl  such  that 

Pr[FactoUf^^^,GenModuius(^)  = l]  < negl(n). 

This  implies  e{n)/2  < negl(n)  or,  equivalently,  e(n)  < 2 • negl(n),  completing 
the  proof.  I 

The  previous  theorem  leads  directly  to  a family  of  one-way  functions  (see 
Definition  7.70)  based  on  any  GenModulus  relative  to  which  factoring  is  hard: 
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• Algorithm  Gen,  on  input  1”,  runs  GenModulus(l”)  to  obtain  (N,p,q) 
and  outputs  I = N.  The  domain  T>r  is  and  the  range  Kj  is  QJZn. 

• Algorithm  Samp,  on  input  N,  chooses  a random  element  x ■*—  Z^. 

• Algorithm  /,  on  input  N and  x G Z^,  outputs  mod  N]. 

The  fact  that  this  family  is  one-way  follows  from  the  assumption  that  fac- 
toring is  hard  and  from  the  fact  that  inverting  / is  equivalent  to  factoring. 

We  can  turn  this  into  a family  of  one-way  permutations  by  using  moduli  N 
of  a special  form  and  letting  D/  be  a subset  of  Z^ . (See  the  exercises  for  other 
way  to  make  this  a permutation.)  Say  N = pq  \s  a Blum  integer  if  p and  q 
are  distinct  primes  with  p = q = 3 mod  4.  The  key  to  building  a permutation 
is  the  following  proposition. 

PROPOSITION  11.23  Let  N be  a Blum  integer.  Then  every  quadratic 
residue  modulo  N has  exactly  one  square  root  that  is  also  a quadratic  residue. 

PROOF  Say  N = pq  with  p = q — 3 mod  4.  Using  Proposition  11.2,  we 
see  that  —1  is  not  a quadratic  residue  modulo  p or  q.  This  is  because  for 
p = 3 mod  4 it  holds  that  p = 4i  3 for  some  i and  so 

(-1)^  = (-1)2*+!  = -1  modp 

(because  2i -|- 1 is  odd).  Now  let  y (^p,  yq)  be  an  arbitrary  quadratic  residue 
modulo  N with  the  four  square  roots 

(Xp,  Xg),  ( Xp,  Xg),  (Xp,  2^g)j  ( Xp,  Xq)- 

We  claim  that  exactly  one  of  these  is  a quadratic  residue  modulo  N.  To  see 
this,  assume  Jp{xp')  = -|-1  and  Jq{xq)  = — 1 (the  proof  proceeds  similarly  in 
any  other  case).  Using  Proposition  11.4,  we  have 

iTg(“”37g)  = ,^(  — 1)  • <Hq{Xq^  = -f-1  , 

and  so  (xp,  — Xg)  corresponds  to  a quadratic  residue  modulo  N (using  Propo- 
sition 11.6).  Similarly,  LLp{—Xp)  = —1  and  so  none  of  the  other  square  roots 
of  y are  quadratic  residues  modulo  N . | 


Expressed  differently,  the  above  proposition  says  that  when  A”  is  a Blum 
integer,  the  function  fiq  : QIZn  QKn  given  by  fN{x)  = [x^  mod  N]  is 
a permutation  over  QJZn-  Modifying  the  sampling  algorithm  Samp,  above, 
to  choose  a random  x -s—  QTZn  (which,  as  we  have  already  seen,  can  be 
done  easily  by  choosing  random  r <—  Z^  and  setting  x :=  [r^  mod  N])  gives 
a family  of  one-way  permutations.  Finally,  because  square  roots  modulo  N 
can  be  computed  in  polynomial  time  given  the  factorization  of  A,  a straight- 
forward modification  yields  a family  of  trap<^oor  permutations  based  on  any 
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Gen  Modulus  relative  to  which  factoring  is  hard.  This  is  sometimes  called  the 
Rabin  family  of  trapdoor  permutations.  In  summary: 

THEOREM  11.24  Let  GenModulus  he  an  algorithm  that,  on  input  I”, 
outputs  {N,  p,  q)  where  N — pq  and  p and  q are  distinct  primes  ( except  possibly 
with  negligible  probability)  with  p = q — 3 mod  4.  If  factoring  is  hard  relative 
to  GenModulus,  then  there  exists  a family  of  trapdoor  permutations. 


11.2.3  The  Rabin  Encryption  Scheme 

The  Rabin  trapdoor  permutation  suggests  a “textbook  Rabin”  encryption 
scheme  by  analogy  with  “textbook  RSA”  encryption.  Such  a scheme  is  deter- 
ministic and  therefore  is  not  CPA-secure.  A better  approach  is  to  rely  on  the 
results  of  Section  10.7.2,  where  we  showed  that  any  trapdoor  permutation  can 
be  used  to  construct  a CPA-secure  public- key  encryption  scheme.  To  apply 
the  transformation  shown  there  to  the  Rabin  family  of  trapdoor  permutations 
introduced  in  the  previous  section,  we  need  a predicate  that  is  hard-core  for 
this  family  (see  Definition  10.26).  It  can  be  shown  that  the  least-significant 
bit  Isb(-)  constitutes  a hard-core  predicate.  That  is,  let  GenModulus  be  an 
algorithm  outputting  Blum  integers  relative  to  which  factoring  is  hard.  Then 
for  all  probabilistic  polynomial-time  algorithms  A there  exists  a negligible 
function  negl  such  that 

Pr[A(A’,  [x^  mod  N])  — lsb(a:)]  < ^ -|-  negl(n), 

where  the  probability  is  taken  over  the  experiment  in  which  GenModulus(l”) 
outputs  (N,p,q)  and  then  x is  chosen  at  random  from-  QR-n-  Plugging  this 
into  Construction  10.27  gives  a concrete  example  of  a public-key  encryption 
scheme  whose  security  can  be  based  on  the  factoring  assumption.  We  describe 
this  formally  in  Construction  11.25. 

We  do  not  prove  the  following  theorem  here;  see  Exercise  10.10  of  Chap- 
ter 10  (and  the  reference  there)  for  an  idea  as  to  how  a proof  would  proceed. 

THEOREM  11.26  If  factoring  is  hard  relative  to  GenModulus,  then  Con- 
struction 11.25  has  indistinguishable  encryptions  under  a chosen-plaintext  at- 
tack. 

One  could  also  consider  a “padded  Rabin”  encryption  scheme,  constructed 
by  analogy  with  the  padded  RSA  encryption  scheme  of  Section  10.4.3,  that 
is  more  efficient  than  Construction  11.25.  In  this  case,  however,  provable 
security  based  on  factoring  is  not  known  to  hold.  See  Exercise  11.14  for  one 
example  of  how  this  could  be^done. 
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CONSTRUCTION  11.25 

Let  GenModulus  be  a polynomial-time  algorithm  that,  on  input  1”,  out- 
puts (N,p,q)  where  N = pq  and  p and  q are  n-bit  primes  (except  with 
probability  negligible  in  n)  with  p = q = 3 mod  4.  Construct  a public- 
key  encryption  scheme  as  follows: 

• Gen:  on  input  1”  run  GenModulus(l")  to  obtain  (N,p,q).  The 
public  key  is  N,  and  the  private  key  is  {p,  q). 

• Enc:  on  input  a public-key  N and  message  m G {0, 1},  choose  a 
random  x ■«—  QTZn  and  output  the  ciphertext 

c :=  {[x^  mod  N],  lsb(a:)  © m). 

• Dec:  on  input  a private  key  {p,q)  and  a ciphertext  (c,c'),  com- 
pute the  unique  x G QR-n  such  that  x^  = c mod  N,  and  output 
Isb(x)  © c. 

The  Rabin  encryption  scheme. 

Rabin  Encryption  vs.  RSA  Encryption 

It  is  worthwhile  to  remark  on  the  similarities  and  differences  between  the 
Rabin  and  RSA  cryptosystems.  (The  discussion  here  applies  to  any  cryp- 
tographic construction  — not  necessarily  a public-key  encryption  scheme  — 
based  on  the  Rabin  or  RSA  trapdoor  permutations.) 

At  a basic  level,  the  RSA  and  Rabin  trapdoor  permutations  appear  quite 
similar,  with  squaring  in  the  case  of  Rabin  corresponding  to  taking  e = 2 in  the 
case  of  RSA.  (Of  course,  ‘2’  is  not  relatively  prime  to  (p{N)  and  so  .Rabin  is  not 
a special  case  of  RSA.)  In  terms  of  the  security  offered  by  each  construction,  we 
have  noted  that  hardness  of  computing  modular  square  roots  is  equivalent  to 
hardness  of  factoring,  while  hardness  of  solving  the  RSA  problem  is  not  known 
to  be  implied  by  the  hardness  of  factoring.  The  Rabin  trapdoor  permutation  is 
thus  based  on  a potentially  weaker  assumption.  It  is  theoretically  possible  that 
someone  might  develop  an  efficient  algorithm  for  solving  the  RSA  problem, 
yet  computing  square  roots  will  reriiain  hard.  More  plausible  is  someone  will 
propose  an  algorithm  that  solves  tlie  RSA  problem  in  less  time  than  it  takes  to 
factor  (but  that  still  requires  super-polynomial  time).  Lemma  11.21  ensures, 
however,  that  computing  square  roots  modulo  N can  never  be  much  faster 
than  the  best  available  algorithm  for  factoring  N. 

In  terms  of  their  efficiency,  the  RSA  and  Rabin  permutations  are  essentially 
the  same.  Actually,  if  a large  exponent  e is  used  in  the  case  of  RSA  then 
computing  eth  powers  (as  in  RSA)  is  slightly  slower  than  squaring  (as  in 
Rabin).  On  the  other  hand,  a bit  more  care  is  required  when  working  with 
the  Rabin  permutation  since  it  is  only  a permutation  over  a subset  of  , in 
contrast  to  RSA  which  gives  a permutation  over  all  of  . 

A “textbook  Rabin”  encryption  scheme,  constructed  in  a manner  exactly 
analogous  to  textbook  RSA  encryption,  is  vulnerable  to  a chosen-ciphertext 
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attack  that  enables  an  adversary  to  learn  the  entire  private  key  of  the  re- 
ceiver (see  Exercise  11.12).  Although  textbook  RSA  is  vulnerable  to  a chosen- 
ciphertext  attack  that  recovers  the  entire  message,  there  is  no  known  chosen- 
ciphertext  attack  on  textbook  RSA  that  recovers  the  entire  private  key.  It  is 
possible  that  the  existence  of  such  an  attack  on  “textbook  Rabin”  influenced 
cryptographers,  early  on,  to  reject  the  use  of  Rabin  encryption  entirely. 

In  summary,  the  RSA  permutation  is  much  more  widely  used  in  practice 
than  the  Rabin  permutation,  but  in  light  of  the  above  this  appears  to  be  due 
more  to  historical  accident  than  to  any  compelling  technical  justification. 


11.3  The  Paillier  Encryption  Scheme 

The  Paillier  encryption  scheme,  like  the  RSA,  Goldwasser-Micali,  and  Rabin 
encryption  schemes,  is  based  on  the  hardness  of  factoring  a composite  num- 
ber N that  is  the  product  of  two  primes.  (We  emphasize  that,  with  the  excep- 
tion of  Rabin  encryption,  security  of  these  schemes  is  not  known  to  be  equiv- 
alent to  the  hardness  of  factoring.)  The  Paillier  encryption  scheme  is  more 
efficient  than  the  Goldwasser-Micali  cryptosystem,  as  well  as  the  provably- 
secure  RSA  and  Rabin  schemes  of  Theorems  10.19  and  11.26,  respectively. 
Perhaps  more  importantly,  the  Paillier  encryption  scheme  possesses  some  nice 
homomorphic  properties  we  will  discuss  further  in  Section  11.3.3.  We  remark, 
however,  that  it  relies  on  a newer  and  less  studied  hardness  assumption. 

The  Paillier  encryption  scheme  utilizes  the  group  • A useful  character- 
ization of  this  group  is  given  by  the  following  proposition  which  says,  among 
other  things,  that  is  isomorphic  to  Zjy  x Zjv  Definition  7.23)  for W 
of  the  form  we  will  be  interested  in.“^  We  will  prove  the  proposition  in  the 
next  section. 

PROPOSITION  11.27  Let  N = pq,  where  p,q  are  distinct  odd  primes  of 
the  same  length.  Then: 

1.  gcd(iV,0(iV))  = l. 

2.  For  any  integer  a>Q,  we  have  (1  -|-  A”)®  = ( 1 -|-  aN)  mod  A^. 

As  a consequence,  the  order  o/(l-|-A)  in  is  A.  That  is,  (1  + N)^  = 
1 mod  A^  and  (1  -|-  A)®  ^ 1 mod  A^  for  any  1 < a < A. 

3.  Zw  X Z^  is  isomorphic  to  with  isomorphism  /:  Zw  x '^*n^ 
given  by 

f{a,  b)  = [(1  -f  A)“  - b^  mod  A^]  . 


■^Recall  that  Zn  is  a group  under  addition  modulo  N,  while  is  a group  under  multipli- 
cation modulo  N. 
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In  light  of  the  final  claim  of  the  above  proposition,  we  introduce  some 
convenient  shorthand.  With  N understood,  and  x G a & "Zn  , b G 

we  write  x ^ (o,  b)  if  /(a,  b)  = x where  / is  the  isomorphism  from  the 
proposition  above.  One  way  to  think  about  this  notation  is  that  it  means 
“x  in  corresponds  to  {a,  b)  in  x . We  have  used  the  same  notation 
throughout  this  book  in  the  context  of  the  isomorphism  ZJ^  ~ Z*  x Z*  given 
by  the  Chinese  remainder  theorem;  we  keep  the  notation  because  in  both 
cases  it  refers  to  an  isomorphism  of  groups.  Nevertheless,  there  should  be 
no  confusion  since  the  group  Z^2  and  the  above  proposition  are  only  used  in 
this  section  (and  the  Chinese  remainder  theorem  is  not  used  in  this  section). 
We  remark  that  here  the  isomorphism  — but  not  its  inverse  — is  efficiently 
computable  even  without  the  factorization  of  N. 

Section  11.3.1  is  dedicated  to  a proof  of  Proposition  11.27.  The  reader  who 
is  willing  to  accept  the  proposition  on  faith  can  skip  directly  to  Section  11.3.2. 

11.3.1  The  Structure  of  Z)(^2 

In  this  section,  we  prove  Proposition  11.27  claim-by-claim.  Throughout,  we 
let  N,  p,  q be  as  in  the  proposition. 

CLAIM  11.28  For  N,p,q  as  in  Proposition  11.27,  gcd{N,(p{N))  = 1. 

PROOF  Recall  that  4){N)  = {p  — l){q  — 1).  Assume  p > q without  loss  of 
generality.  Since  p is  prime  and  p>p— l>q  — 1,  clearly  gcd(p,  (p{N))  = 1. 
Similarly,  gcd(q,  q — 1)  = 1.  Now,  if  gcd{q,p  — 1)  ^ 1 then  gcd{q,p  — 1)  = q 
since  q is  prime.  But  then  (p  — l)/q  > 2,  contradicting  the  assumption  that 
p and  q have  the  same  length.  | 


CLAIM  11.29  Fora  >0  an  integer,  we  have  (1-l-A’)®  = 1 -f  oTV  mod 
Thus,  the  order  of  {1  N)  in  Z^2  is  N. 

PROOF  Using  the  binomial  expansion  theorem  (Theorem  A.l): 

(1  + A)“  - ^ 

i=0 

Reducing  the  right-hand  side  modulo  A^,  all  terms  with  i > 2 become  0 
and  so  (1-f-A)®  = 1-1-  oA  mod  A^.  The  smallest  non-zero  a such  that 
(1  -f-  A)®  = 1 mod  A^  is  therefore  o = A.  | 


CLAIM  11.30  The  group  Zjv  x Z^  is  isomorphic  to  the  group  Zj’^2,  with 
isomorphism  fr  Zn  x Z^  ^ Z)(^2  given  by  f{a,  b)  = [(1  -|-  A)®  • b^  mod  A^] . 
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PROOF  Note  that  (1  + N)°'  ■ does  not  have  a factor  in  common  with 
N'^  since  gcd((l  + N),N‘^)  = 1 and  gcd{b,  N^)  = 1 (because  b e So 

[(1  + N")®  • b^  mod  N^]  lies  in  ^^2-  We  now  prove  that  / is  an  isomorphism. 
We  first  show  that  / is  a bijection.  Since 

I^JV2  I = = P ■ (P  - 1)  • 9 • (g  - 1)  = pg  • (p  - 1)(^  - 1) 

= |Z7vMZ^|  = |ZatxZ;,| 

(see  Theorem  7.19  for  the  second  equality),  it  suffices  to  show  that  / is  one- 
to-one.  Say  ai,a2  G Zw  and  61,62  G are  such  that  /(ai,6i)  = f(a2,t>2)- 
Then: 

(1  -H  • (61/62)''^  = 1 mod  N^.  (11.7) 

(Note  that  62  G and  thus  62  G , and  so  62  has  a multiplicative  inverse 
modulo  N'^.)  Raising  both  sides  to  the  power  (/>(N)  and  using  the  fact  that 
the  order  of  is  = N ■ (f>{N)  we  obtain 

(1  + 7v)(ai-a2)-<^(w)  . (bi/b2)^"^^^'>  = 1 mod 

^ (1  -(-  ^ X jnod  . 

By  Claim  11.29,  (1  + N)  has  order  N modulo  N'^.  Applying  Proposition  7.50, 
we  see  that  (ai  — 02)  • </>{N)  = 0 mod  N and  so  N divides  (ai  — 02)  • (f>{N). 
Since  gcd{N.  d){N))  = 1 by  Claim  11.28,  it  follows  that  N\  (ai  — 02).  Since 
ai,a2  G ^7v,  this  can  only  occur  if  ai  =02. 

Returning  to  Equation  (11.7)  and  setting  ai  =02,  we  thus  have  6j^  = 
6^  mod  iV^.  This  implies  b^.  = b^  mod  N.  Since  N is  relatively  prime  to 
(f>{N),  the  order  of  , exponentiation  to  the  power  is  a bijection  in 
(cf.  Corollary  7.17).  This  means  that  b\  = 62  mod  N]  since  61,62  G Z^  , we 
have  61  =62.  We  conclude  that  / is  one-to-one,  and  hence  a bijection. 

To  show  that  / is  an  isomorphism,  we  show  that  /(ai,6i)  ■ f(a2,b2)  = 
/(ai  + 02,  61  • 62).  (Note  that  multiplication  on  the  left-hand  side  of  the 
equality  takes  place  modulo  AT^,  while  addition/multiplication  on  the  right- 
hand  side  takes  place  modulo  A^.)  We  have: 

f(ai,bi)-/(a2,h)  = {(l  + NT'-bi)  ■ ((l  + Af)“-fe^)  mod  N^' 

= (1  + • (6162)"  mod 

Since  (1  -|- A)  has  order  A modulo  A^  (by  Claim  11.29),  we  can  apply  Propo- 
sition 7.49  and  obtain 

/(oi,  61)  ■ /(o2,  62)  = (1  -I-  • (6162)'^  mod  A^ 

= (1  + A)“'+“"  ^ • (6162)^  mod  A^.  (11.8) 

We  are  not  yet  done,  since  6162  in  Equation  (11.8)  represents  multiplication 
modulo  A^  whereas  we  would  like  it  to  be  modulo  A.  Let  6162  = r + 7 A, 
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where  7,  r are  integers  with  1 < r < (r  cannot  be  0 since  61,  62  6 and 
so  their  product  cannot  be  divisible  by  N).  Note  that  r = 6162  mod  N.  We 
also  have 

(6162)^  = (r  + 7iV)^  mod 

~ f mod  N'^ 

fc=o  ^ ^ 

= • (7A^)  = = (6162  mod  N)^  mod  , 

using  the  binomial  expansion  theorem  as  in  Claim  11.29.  Plugging  this  in  to 
Equation  (11-8)  we  get  the  desired  result: 

/(ai,  &l)  • /(a2,  62)  = (1  + A^)“^+“2  mod  N . ^2 

= / ( fll  + fl2  ) ^1  ^2  ) , 

proving  that  / is  an  isomorphism  from  Zat  x Z^  to  Z^2-  I 


11.3.2  The  Paillier  Encryption  Scheme 

Let  A^  = pg  be  a product  of  two  distinct  primes  of  equal  length.  Proposi- 
tion 11.27  says  that  Zat  x Z^  is  isomorphic  to  Z^2,  with  isomorphism  given 
by  /(a,  h)  — [(1  -|-  N)^  • mod  A consequence  is  that  a rahdohi  element 
y € Z^2  corresponds  to  a random  element  (a,  h)  € Xn  x Z^  or,  in  other 
words,  an  element  (a,  6)  with  random  a eIjn  and  random  b E 

Say  y E Z^2  is  an  A’th  residue  modulo  N“^  if  y is  an  A’th  power;  that  is, 
if  there  exists  an  x E Z^2  with  y - mod We  denote  the  set  of  A’th 
residues  modulo  N“^  by  Res(JV^).  Let  us  characterize  the  A’th  residues  in  Z^2- 
Taking  any  x E Z^2  with  x •«->  (a,  b)  and  raising  it  to  the  A’th  power  gives: 

mod  (a,  b)^  = {N  • a mod  A,  b^  mod  A)  = (0,  b^  mod  A) 

(recall  that  the  group  operation  in  Za^  x Z^  is  addition  modulo  A in  the  first 
component  and  multiplication  modulo  A in  the  second  component).  More- 
over, we  claim  that  any  element  y with  y ^ (0,  b)  is  an  Ath  residue.  To  see 

this,  recall  that  gcd(A,  0(A))  = 1 and  so  d [A“^  mod  0(A)]  exists.  So 
(a,  [b^  mod  A])^  = (Aa  mod  A,  [6^^  mod  A])  = (0,  6)  ^ y 
for  any  a eXn-  We  have  thus  shown  that  Res(A^)  corresponds  to  the  set 

{(0,6)  |6eZ)V}. 

(Compare  this  to  Z^2,  which  corresponds  to  {(a,  6)  | a € Za^,  b E Z)(r}-)  The 
above  also  demonstrates  that  the  number  of  Ath  roqts  of  any  y E Res(A^) 
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is  exactly  N,  and  so  computing  A^th  powers  is  an  A^-to-1  function.  As  a 
consequence,  if  r <—  Z^2  is  chosen  uniformly  at  random  then  [r^  mod  is 
a uniformly  distributed  element  of  Res(A^). 

The  decisional  composite  residuosity  problem,  roughly  speaking,  is  to  dis- 
tinguish a random  element  of  Z^2  from  a random  element  of  Res(A^).  Note 
that  unlike  the  quadratic  residuosity  assumption,  where  QJZn  and 
are  disjoint  sets,  here  Res(A^)  C Z^2-  Nevertheless,  Res(A^)  forms  only  a 
negligible  fraction  of  Z^2-  Formally,  let  GenModulus  be  a polynomial-time 
algorithm  that,  on  input  I”,  outputs  {N,p,  q)  where  N = pq,  and  p and  q are 
n-bit  primes  (except  with  probability  negligible  in  n).  Then: 


DEFINITION  11.31  We  say  the  decisional  composite  residuosity  problem 
is  hard  relative  to  GenModulus  if  for  all  probabilistic  polynomial-time  algorithms 
A there  exists  a negligible  function  negl  such  that 


Pr[A(A,  [r^  mod  N^]) 


1]  - Pr[A( A,  r)  = 1] 


< negl(n). 


where  in  each  case  the  probabilities  are  taken  over  the  experiment  in  which 
GenModulus(l”)  outputs  (N,p,q),  and  then  a random  r is  chosen. 

{Note  that  [r"^  mod  A^]  is  a random  element  of  Res(A^).) 


The  decisional  composite  residuosity  {OCR)  assumption  is  the  assumption 
that  there  exists  a GenModulus  relative  to  which  the  decisional  composite 
residuosity  problem  is  hard.  This  assumption  can  be  viewed  as  a generaliza- 
tion, of  sorts,  of  the  quadratic  residuosity  assumption  in  Z^  that  we  have 
seen  earlier. 

As  we  have  discussed,  random  elements  of  Z^2  have  the  form  (r',  r)  with  r' 
and  r random  (in  the  appropriate  groups),  while  random  Ath  residues  have 
the  form  (0,  r)  with  r random.  The  DCR  assumption  is  that  it  is  hard  to 
distinguish  random  elements  of  the  first  type  from  random  elements  of  the 
second  type.  This  suggests  the  following  abstract  way  to  encrypt  a message 
m e Zat  with  respect  to  a public  key  A:  choose  a random  Ath  residue  (0,r) 
and  set  the  ciphertext  equal  to 

c (m,  1)  • (0,  r)  = (m,  r). 

(In  the  above,  represents  the  group  operation  in  Z^r  x Without  wor- 

rying for  now  how  this  can  be  carried  out  efficiently  by  the  sender,  or  how 
the  receiver  can  decrypt,  let  us  simply  convince  ourselves  (on  an  intuitive 
level)  that  this  is  secure.  Since  a random  Ath  residue  (0,  r)  cannot  be  distin- 
guished from  a random  element  (r' , r) , the  ciphertext  as  constructed  above  is 
indistinguishable  (from  the  point  of  an  eavesdropper  who  does  not  know  the 
factorization  of  A and  so  supposedly  cannot  compute  f~^)  from  a ciphertext 
constructed  as 


d ^ (m,  1)  • {r  , r)  = ([m  -1-  r'  mod  A],  r) 
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for  a random  r'  E Lemma  10.20  shows  that  [m  + r'  mod  TV]  is  uniformly 
distributed  in  and  so,  in  particular,  this  ciphertext  c'  is  independent  of  the 
message  m.  Indistinguishability  of  encryptions  in  the  presence  of  an  eaves- 
dropper follows. 

A formal  proof  that  proceeds  exactly  along  these  lines  is  given  below.  Let 
us  first  see  how  encryption  and  decryption  can  be  performed  efficiently,  and 
then  give  a formal  description  of  the  encryption  scheme. 

Encryption.  We  have  described  encryption  above  as  though  it  is  taking 
place  in  Zat  X Z^.  In  fact  it  takes  place  in  the  isomorphic  group  Z^2-  That 
is,  the  sender  generates  a ciphertext  c € Z]^^2  by  choosing  a random  r 6 Z]^ 
and  then  computing 


c .-  [(1  + NY"  ■ mod  TV^j. 

Observe  that 

c = ((1  + TV)"^  • 1^)  • ((1  + Nf  ■ r^)  mod  TV^  ^ (m,  1)  ■ (0,  r), 
and  so  c (m,  r)  as  desired. 

We  remark  that  it  does  not  make  any  difference  whether  the  sender  chooses 
random  r Z^  or  random  r Z^2 , since  in  either  case  the  distribution  of 
[r^  mod  TV^j  is  the  same  (as  can  be  verified  by  looking  at  what  happens  in 
the  isomorphic  group  Z^r  x Z^). 

Decryption.  We  now  describe  how  decryption  can  be  performed  efficiently 
given  the  factorization  of  TV.  For  c constructed  as  above,  we  claim  that  m is 
recovered  by  the  following  steps: 

• -Set  c mod  TV^].  ■■  . - * 

• Set  m :=  (c  — 1)/TV.  (Note  that  this  is  carried  out  over  the  integers.) 

• Set  m :=  [m  • 0(TV)“^  mod  TV] . 

To  see  why  this  works,  let  c •«->•  (m,r)  for  an  arbitrary  r € Z^.  Then 

c mod  TV^j 

(m,  r 

= ^[m  • (p{N)  mod  TV],  mod  TV]^ 

= {[m  ■ 0(TV)  mod  TV],  l)  . 

By  Proposition  11.27(3),  this  means  that  c = (1  -f-  TV)!’^  '^^-^^  mod  TV^. 

Using  Proposition  11.27(2),  we  know  that 

c.=  (1  + = (1  + [m  • 0(TV)  mod  TV]  • TV)  mod  TV^. 
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Since  1 + [m  • <p{N ) mod  A^]  • is  always  less  that  N'^  we  can  drop  the  mod  N'^ 

at  the  end  and  view  the  above  as  an  equality  over  the  integers.  Thus,  m 
(c  — 1)/A^  = [m  • (p{N)  mod  AT]  and,  finally, 

m = [m  • (p{N)'~^  mod  A^], 

as  required.  (Note  that  is  invertible  modulo  N since  gcd(N’,  = 1.) 

We  give  a complete  description  of  the  Paillier  encryption  scheme,  followed 
by  an  example  of  the  above  calculations. 


CONSTRUCTION  11.32 

Let  GenModulus  be  a polynomial-time  algorithm  that,  on  input  1”,  out- 
puts (N,p,q)  where  N = pq  and  p and  q are  n-bit  primes  (except  with 
probability  negligible  in  n).  Define  a public-key  encryption  scheme  as 
follows; 

• Gen:  on  input  1”  run  GenModulus(l")  to  obtain  (N,p,q).  The 
public  key  is  N,  and  the  private  key  is  {N,  (p{N)). 

• Enc:  on  input  a public  key  N and  a message  m E Ijn,  choose  a 
random  r ■«—  and  output  the  ciphertext 

c :=  [(1  -(-  mod  N^]. 


• Dec:  on  input  a private  key  (N,  cf){N))  and  a ciphertext  c,  compute 


m := 


mod  N^]  — 1 
_ 


■ (p{N)  mod  N . 


The  Paillier  encryption  scheme. 


Example  11.33 

Let  N — 11-17  = 187  (and  so  N'^  = 34969),  and  consider  encrypting  the 
message  m = 175  and  then  decrypting  the  corresponding  ciphertext.  Choosing 
r = 83  e we  compute  the  ciphertext 

c [(1  + 187)^'^^  • 83^®"^  mod  34969]  = 23911 

corresponding  to  (175,83).  To  decrypt,  note  that  (p(N)  = 160.  So  we  first 
compute  c :=  [23911^®°  mod  34969]  = 25620.  Subtracting  1 and  dividing  by 
187  gives 

m ;=  (25620  - 1)/187  = 137; 
since  90  = [160~^  mod  187],  the  message  is  recovered  as 

m :=  [137  • 90  mod  187]  = 175. 


3 
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Correctness  follows  from  the  earlier  discussion.  We  now  prove  security. 


THEOREM  11.34  If  the  decisional  composite  residuosity  problem  is  hard 
relative  to  Gen  Mod  ulus,  then  the  Paillier  encryption  scheme  has  indistinguish- 
able encryptions  under  a chosen-plaintext  attack. 


PROOF  Let  n denote  the  Paillier  encryption  scheme.  We  prove  that 
n has  indistinguishable  encryptions  in  the  presence  of  an  eavesdropper;  by 
Theorem  10.10  this  implies  that  it  is  CPA-secure. 

Let  v4  be  a probabilistic  polynomial-time  adversary,  and  define 

£{n)  Pr[PubK^;'n(^)  = !]• 

Consider  the  following  PPT  adversary  D that  attempts  to  solve  the  decisional 
composite  residuosity  problem  relative  to  GenModulus: 

Algorithm  D\ 

The  algor ithrn  is  given  N,y.  a.s  input. 

• Set  pk  = (N)  and  run  A{pk)  to  obtain  two  messages  mo, mi. 

• Choose  a random  bit  b and  set  c :=  [(1  -|-  • y mod  A^]. 

• Give  the  ciphertext  c to  A and  obtain  an  output  bit  b' . If 
b'  — b,  output  1;  otherwise,  output  0. 


Let  us  analyze  the  behavior  of  D.  There  are  two  cases  to  consider: 

Case  1:  Say  the  input  to  D was  generated  by  running  GenModulus(l”)  to 
obtain  (A,p,  g),  choosing  random  r and  setting  y :=  [r^  mod  A^]. 

(That  is,  ^ is  a random  element  of  Res(A^).)  In  this  case,  the  ciphertext  c is 
constructed  as 

c = [(1  -h  ■ r^  mod  A^] 


for  a random  r G • Recalling  that  the  distribution  on  [r^  mod  A^]  is  the 
same  whether  r is  chosen  at  random  from  or  from  Z^2 , we  see  that  in 
this  case  the  view  of  A when  run  as  a subroutine  by  D is  distributed  exactly 
as  A’s  view  in  experiment  PubK^ji(n).  Since  D outputs  1 exactly  when  the 
output  b'  of  A is  equal  to  b,  we  have  that 


Pr[D(A,  [r^  mod  A^])  = 1]  = Pr[PubK^yfj(n)  = 1]  = e(n)  j 


where  the  left-most  probability  is  taken  over  the  appropriate  experiment  in 
Definition  11.31. 

Case  2:  Say  the  input  to  D was  generated  by  running  GenModulus(l"')  to 
obtain  {N,p,q)  and  choosing  random  y ^ Z^2-  We  claim  that  the  view  of 
A in  this  case  is  independent  of  the  bit  b.  To  see  this,  note  that  since  y is  a. 


416 


random  element  of  the  group  the  ciphertext  c is  randomly  distributed  in 
Z^2  (see  Lemma  10.20)  and,  in  particular,  is  independent  of  m.  This  means 
the  probability  that  b'  = b in  this  case  is  exactly  | . That  is, 

Pr[T>(iV,  r)  = 1]  = i , 

where  the  probability  is  taken  over  the  appropriate  experiment  in  Defini- 
tion 11.31. 

Combining  the  above  we  have  that 


Pr[D(A/',  [r"^  mod  = 1]  — Pr[D(iV, r)  = 1]  < \e{n)  — ||  • 

By  the  assumption  that  the  decisional  composite  residuosity  problem  is  hard 
relative  to  GenModulus,  there  exists  a negligible  function  negl  such  that 

|e(n)  — II  < negl(n) 

and  so  e{n)  < | + negl(n),  completing  the  proof.  | 


11.3.3  Homomorphic  Encryption 

The  Paillier  encryption  scheme  turns  out  to  be  useful  in  a number  of  con- 
texts since  it  is  an  example  of  a homomorphic  encryption  scheme  over  an 
additive  group.  That  is,  if  we  let  EncAr(m)  denote  the  (randomized)  Paillier 
encryption  of  a message  m E 7jn  with  respect  to  the  public  key  N,  we  have 

Encjv(mi)  • Encjv(m,2)  = EncAr([mi  -|-  m2  mod  TV]) 
for  all  mi,  m2  eTjn-  To  see  this,  one  can  verify  that 
((1  + A^)^^  . rf ) . ((1  + ■ r^) 

= (1  + • (nr2)^  mod  TV2, 

and  the  latter  is  a valid  encryption  of  the  message  [mi  -|-  m2  mod  TV]. 

DEFINITION  11.35  A public-key  encryption  scheme  (Gen,  Enc,  Dec)  is 
homomorphic  if  for  all  n and  all  (pk,sk)  output  by  Gen(l”),  it  is  possible  to 
define  groups  M,  C such  that: 

• The  plaintext  space  is  M,  and  all  ciphertexts  output  by  Encp/c  erne  ele- 
ments ofC. 

• For  any  mi,  m2  € M and  Ci,C2  E C with  mi  = DeCs/c(ci)  and  m2  = 
DeCsk{C2) , it  holds  that 

DeCs/c(ci  • C2)  = mi  • m2, 

where  the  group  operations  are  carried  out  in  C and  M,  respectively. 
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Restating  what  we  have  said  above,  the  Paillier  encryption  scheme  is  ho- 
momorphic taking  M = Z;v  and  C = Z^2  for  the  public  key  pk  = N. 

The  Paillier  encryption  scheme  is  not  the  first  homomorphic  encryption 
scheme  we  have  seen.  El  Gamal  encryption  is  also  homomorphic:  if  Gen(l”) 
outputs  pk  = (G,  q,g,h)  then  messages  are  elements  of  G and  ciphertexts  are 
elements  of  G x G.  Furthermore, 

• mi)  • {g^'^,  ■ m2)  — . rnim2), 

is  a valid  encryption  of  the  message  m\m2  G G.  The  Goldwasser-Micali 
encryption  is  also  homomorphic  (see  Exercise  11.17). 

A nice  feature  of  Paillier  encryption  is  that  it  is  homomorphic  over  a large 
additive  group  (namely,  Z^r).  To  see  why  this  might  be  useful,  imagine  the 
following  cryptographic  voting  scheme  based  on  Paillier  encryption: 

1 . An  authority  generates  a public  key  N for  the  Paillier  encryption  scheme 
and  publicizes  N. 

2.  Let  0 stand  for  a “no” , and  let  1 stand  for  a “yes” . Each  of  ^ voters  can 
cast  their  vote  by  encrypting  it.  That  is,  voter  i casts  her  vote  Vi  by 
computing  c*  :=  [(H-A")^*  -r^  mod  N^]  for  a randomly-chosen  r <— 

3.  Each  voter  broadcasts  their  vote  c^.  These  votes  are  then  publicly  ag- 
gregated by  computing 

•=  nLi  ■ 

Any  external  observer  can  verify  that  this  step  was  done  properly. 

4.  The  authority  is  given  the  ciphertext  c* . (We  assume  the  authority  has 
not  been  able  to  observe  what  goes  on  until  now.)  By  decrypting  c* , 
the  authority  obtains  the  vote  total 

= Y)i=i  '^i  niod  N. 

If  i is  small  (so  that  v*  <C  N),  then  v*  = 

Key  features  of  the  above  are  that  the  authority  obtains  the  correct,  vote  total 
without  learning  any  individual  votes.  Furthermore,  no  voter  learns  anyone 
else’s  vote,  either,  and  calculation  of  the  vote  total  is  publicly  verifiable.  We 
assume  here  that  all  parties  act  honestly  (and  only  try  to  learn  others’  votes 
based  on  the  information  they  have  observed).  There  are  attacks  on  the 
above  protocol  when  this  assumption  does  not  hold,  and  an  entire  research 
area  of  cryptography  is  dedicated  to  formalizing  appropriate  security  notions 
injsettings  such  as  these,  and  designing  secure  protocols. 
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Childs  [32]  and  Shoup  [131]  provide  further  coverage  of  the  (computational) 
number  theory  used  in  this  chapter.  A -good  description  of  the  algorithm  for 
computing  the  Jacobi  symbol  modulo  a composite  of  unknown  factorization, 
along  with  a proof  of  correctness,  is  given  in  [46].  The  problem  of  deciding 
quadratic  residuosity  modulo  a composite  of  unknown  factorization  goes  back 
to  Gauss  [60]  and  is  related  to  other  (conjectured)  hard  number-theoretic 
problems.  The  Goldwasser-Micali  encryption  scheme  is  from  [69],  and  was 
the  first  public-key  encryption  scheme  with  a rigorous  proof  of  security. 

Rabin  [119]  showed  that  computing  square  roots  modulo  a composite  is 
equivalent  to  factoring.  See  [28]  for  indication  that  solving  the  RSA  problem  is 
not  equivalent  to  factoring.  The  method  shown  in  Section  11.2.2  for  obtaining 
a family  of  permutations  based  on  squaring  modulo  a composite  is  due  to 
Blum  [21].  Hard-core  predicates  for  the  Rabin  trapdoor  permutation  are 
discussed  in  [5,  75,  4]  and  references  therein. 

Section  10.2  of  Shoup’s  text  [131]  characterizes  for  arbitrary  inte- 

gers N,  e (and  not  just  N = pq,  e = 2 as  done  here).  The  Paillier  encryption 
scheme  was  introduced  in  [113]. 


Exercises 

11.1  Let  G be  an  abelian  group.  Show  that  the  set  of  quadratic  residues  in 
G forms  a subgroup. 

11.2  This  question  concerns  the  quadratic  residues  in  the  additive  group  Zw- 
(An  element  ^ G is  a quadratic  residue  if  and  only  if  there  exists  an 
X G Ztv  with  2x  = y mod  N.) 

(a)  What  are  the  quadratic  residues  in  Zp  for  p an  odd  prime? 

(b)  Let  N = pq  be  a product  of  two  odd  primes  p and  q.  What  are  the 
quadratic  residues  in  Zw? 

(c)  Let  N be  an  even  integer.  What  are  the  quadratic  residues  in  Zw? 

11.3  Let  N = pq  with  p,q  distinct,  odd  primes.  Show  a PPT  algorithm  for 
choosing  a random  element  of  QA? when  the  factorization  of  N is 
known.  (Your  algorithm  can  have  failure  probability  negligible  in  ]]  Y]].) 

11.4  Let  N = pq  with  p,q  distinct,  odd  primes.  Prove  that  if  x G QR-n  then 

[x“^  mod  N]  G Q71n,  and  if  x G then  [x“^  mod  N]  G QA/"77.)^^. 
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11.5  Let  N = pq  with  p^q  distinct,  odd  primes,  and  fix  z G Show 

that  choosing  random  x ^ QIZn  and  setting  y [z  ■ x mod  N]  gives  a 
y that  is  uniformly  distributed  in  . I.e.,  for  any  y G 

Px[z  ■ X = y mod  iV]  = 1 / 1 QJ\f j , 

where  the  probability  is  taken  over  random  choice  of  a;  <—  QTZn  ■ 

Hint:  Use  the  previous  exercise. 

11.6  Let  N be  the  product  of  5 distinct  odd  primes.  If  y G is  a quadratic 
residue,  how  many  solutions  are  there  to  the  equation  x^  = y mod  N? 

11.7  Consider  the  following  variation  of  the  Goldwasser-Micali  encryption 
scheme:  GenModulus(l"')  is  run  to  obtain  {N,p,q)  where  N = pq  and 
p = q = 3 mod  4.  (Le.,  TV  is  a Blum  integer.)  The  public  key  is  N 
and  the  secret  key  is  {p,q).  To  encrypt  m G {0, 1},  the  sender  chooses 
random  x G Zn  and  computes  the  ciphertext  c :=  [(  — 1)’^  - x^  mod  A^], 

(a)  Prove  that  for  N of  the  stated  form,  [—1  mod  G . 

(b)  Prove  that  the  scheme  described  has  indistinguishable  encryptions 
under  a chosen-plaintext  attack  if  deciding  quadratic  residuosity  is 
hard  relative  to  Gen  Mod  ulus. 

11.8  Assume  deciding  quadratic  residuosity  is  hard  for  Gen  Mod  ulus.  Show 
that  this  implies  the  hardness  of  distinguishing  a random  element  of 
QIZn  from  a random  element  of 

11.9  Consider  the  following  variation  of  the  Goldwasser-Micali  encryption, 

scheme:  GenModulus(l"’)  is  run  to  obtain  {N,p,q).  The  public  key 
is  N and  the  secret  key  is  (p,q).  To  encrypt  a 0,  the  sender  chooses 
n random  elements  ci,...,Cn  ■«—  QTZn-  To  encrypt  a 1,  the  sender 
chooses  n random  elements  ci , . . . , •«—  ^ . In  each  case,  the  resulting 

ciphertext  is  c*  = (ci, . . . , Cn). 

(a)  Show  how  the  sender  can  generate  a random  element  of  in 
polynomial  time. 

(b)  Suggest  a way  for  the  receiver  to  decrypt  efficiently,  though  with 
error  probability  negligible  in  n. 

(c)  Prove  that  if  deciding  quadratic  residuosity  is  hard  relative  to 
Gen  Mod  ulus,  then  this  scheme  is  CPA-secure. 

Hint:  Use  the  previous  exercise. 

11.10  Let  ^ be  a polynomial-time  algorithm  that,  on  input  1"^,  outputs  a prime 
p with  Up  11  = n and  a generator  g of  Z*.  Prove  that  the  DDH  problem 
is  not  hard  relative  to  Q. 


Hint:  Use  the  fact  that  quadratic  residuosity  can  be  decided  efficiently 
modulo  a prime.  * 
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1111  The  discrete  logarithm  problem  is  believed  to  be  hard  for  Q as  in  the 
previous  exercise.  This  means  that  the  function  (family)  fp^g  where 

fp,g{^)  [9^  mod  p]  is  one-way.  Let  lsb(a;)  denote  the  least-significant 

bit  of  X.  Show  that  Isb  is  not  a hard-core  predicate  for  /p,^- 

11.12  Consider  a “textbook  Rabin”  encryption  scheme  in  which  a message 
m.G  QTZjg  is  encrypted  relative  to  a public  key  N (where  TV  is  a Blum 
integer)  by  computing  the  ciphertext  c [m^  mod  A^].  Show  a chosen- 
ciphertext  attack  on  this  scheme  that  recovers  the  entire  private  key. 


11.13  Let  be  a Blum  integer. 

(a)  Define  the  set  S {x  G [ a;  < A^/2  and  Jn{x)  = !}•  Define 
the  function  /at  : S — > by: 


fN{x) 


[x^  mod  A”]  if  [x^  mod  N\  < N/2 
[— x^  mod  TV]  if  [x^  mod  N]  > N/2 


Show  that  /at  is  a permutation  over  S . 

(b)  Define  a family  of  trapdoor  permutations  based  on  factoring  using 
/at  as  defined  above. 


11.14  (a)  Let  A be  a Blum  integer.  Define  the  function  half  at  : Z^  — > {0, 1} 

as 

, . / 0 if  X < A/2 

, hal"(^)  = \lifx>iV/2 

Show  that  the  function  / : Z^  QR-n  x {0,1}^  defined  as 


/(x)  = [x^  mod  A],  AAr(a^),  ha!fAr(x) 

is  one-to-one. 

(b)  Suggest  a “padded  Rabin”  encryption  scheme  that  encrypts  mes- 
sages of  length  n.  (All  algorithms  of  your  scheme  should  run  in 
polynomial  time,  and  the  scheme  should  have  Correct  decryption. 
Although  a proof  of  security  is  unlikely,  your  scheniie  should  not  be 
susceptible  to  any  obvious  attacks.) 


11.15  Show  that  the  isomorphism  of  Lemma  11.27  can  be  efficiently  inverted 
when  the  factorization  of  A is  known. 

11.16  Let  $(A^)  denote  the  set  {(a,  1)  | a G Zat}  C Z)(^2-  Show  that  it  is  not 
hard  to  decide  whether  a given  element  y G Z)(^2  is  in  $(A^). 


11.17  Show  that  the  Goldwasser-Micali  encryption  scheme  is  homomorphic 
when  the  plaintext  space  {0, 1}  is  viewed  as  the  group  Z2. 


Chapter  12 

Digital  Signature  Schemes 


12.1  Digital  Signatures  — An  Overview 

Thus  far,  we  have  dealt  only  with  methods  for  achieving  private  commu- 
nication in  the  public-key  setting.  We  now  turn  to  the  question  of  preserv- 
ing message  integrity.  The  public-key  counterpart  of  message  authentication 
codes  are  digital  signatures,  though  there  are  some  important  differences  as 
we  shall  see  below. 

Digital  signature  schemes  allow  a signer  S who  has  established  a public  key 
pk  to  “sign”  a message  in  such  a way  that  any  other  party  who  knows  pk  (and 
knows  that  this  public  key  was  established  by  S)  can  verify  that  the  message 
originated  from  S and  has  not  been  modified  in  any  way.-  As  an  example  of 
typical  usage  of  a digital  signature  scheme,  consider  a software  company  that 
wants  to  disseminate  software  patches  in  an  authenticated  manner:  that  is, 
when  the  company  needs  to  release  a software  patch  it  should  be  possible  for 
any  of  its  clients  to  recognize  that  the  patch  is  authentic,  and  a malicious 
third  party  should  never  be  able  to  fool  a client  into  accepting  a patch  that 
was  not  actually  released  by  the  company.  To  do  this,  the  cornpany  can 
generate  a public  key  pk  along  with  a private  key  sk,  -and  then  distribute  pk 
in  some  reliable  manner  to  its  clients  while  keeping  sk  secret.  (As  in  the  case 
of  public- key  encryption,  we  assume  that  this  initial  distribution  of  the  public 
key  is  carried  out  correctly  so  that  all  clients  have  a correct  copy  of  pk.  In  the 
current  example,  pk  can  be  included  with  the  original  software  purchased  by 
a client.)  When  releasing  a software  patch  m,  the  company  can  then  compute 
a digitak  signature  a on  m using  its  private  key  sk,  and  send  the  pair  {m,  a) 
to  every  client.  Each  client  can  verify  the  authenticity  of  m by  checking  that 
a is  a legitimate  signature  on  m with  respect  to  the  public  key  pk.  The  same 
public  key  pk  is  used  by  all  clients,  and  so  only  a single  signature  needs  to  be 
computed  by  the  company  and  sent  to  everyone. 

A malicious  party  might  try  to  issue  a fake  patch  by  sending  {m',  a')  to  a 
client,  where  m'  represents  a patch  that  was  never  released  by  the  company. 
This  m'  might  be  a modified  version  of  some  previous  patch  m,  or  it  might  be 
completely  new  and  unrelated  to  previous  patches.  However,  if  the  signature 
scheme  is  “secure”  (in  a sense  we  will  define  more  carefully  soon),  then  when 
the  client  attempts  to  verify  a'  it  will  find  that  this  is  an  invalid  signature 
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on  m'  with  respect  to  pk,  and  will  therefore  reject  the  signature.  The  client 
should  reject  even  if  m!  is  modified  only  slightly  from  a genuine  patch  m. 

The  above  is  not  just  a theoretical  application  of  digital  signatures,  but  one 
that  is  used  extensively  today. 

Comparison  to  Message  Authentication  Codes 

Both  message  authentication  codes  and  digital  signature  schemes  are  used 
to  ensure  the  integrity  (or  authenticity)  of  transmitted  messages.  Although 
the  discussion  in  Chapter  9 comparing  the  public-  and  private-key  settings 
focused  on  the  case  of  encryption,  it  is  easy  to  see  that  the  discussion  applies 
also  to  the  case  of  message  integrity.  Use  of  digital  signatures  rather  than 
message  authentication  codes  simplifies  key  management,  especially  when  a 
sender  needs  to  communicate  with  multiple  receivers.  In  particular,  by  using 
a digital  signature  scheme  the  sender  can  avoid  having  to  establish  a distinct 
secret  key  with  each  potential  receiver,  and  avoid  having  to  compute  a separate 
MAC  tag  with  respect  to  each  such  key.  Instead,  the  sender  need  only  compute 
a single  signature  that  can  be  verified  by  all  recipients. 

A qualitative  advantage  that  digital  signatures  have  as  compared  to  message 
authentication  codes  is  that  signatures  are  publicly  verifiable.  This  means  that 
if  a receiver  verifies  the  signature  on  a given  message  as  being  legitimate,  then 
it  is  assured  that  all  other  parties  who  receive  this  signed  message  will  also 
verify  it  as  legitimate.  This  feature  is  not  achieved  by  message  authentication 
codes  where  a signer  shares  a separate  key  with  each  receiver:  in  such  a setting 
a malicious  sender  might  compute  a correct  MAC  tag  with  respect  to  receiver 
A’s  shared  key  but  an  incorrect  MAC  tag  with  respect  to  a different  user  B’s 
shared  key.  In  this  case,  A knows  that  he  received  an  authentic  message  from 
the  sender  but  has  no  guarantee  that  other  recipients  will  agree. 

Public  verifiability  implies  that  signatures  are  transferable:  a signature  a 
on  a message  m by  a particular  signer  S can  be  shown  to  a third  party,  who 
can  then  verify  herself  that  a is  a legitimate  signature  on  m with  respect 
to  5”s  public  key  (here,  we  assume  this  third  party  also  knows  5”s  public 
key).  By  making  a copy  of  the  signature,  this  third  party  can  then  show  the 
signature  to  another  party  and  convince  them  that  S authenticated  m,  and 
so  on.  Transferability  and  public  verifiability  are  essential  for  the  application 
of  digital  signatures  to  certificates  and  public-key  infrastructures,  as  we  will 
discuss  in  further  detail  in  Section  12.8. 

Digital  signature  schemes  also  provide  the  very  important  property  of  non- 
repudiation. That  is  — assuming  a signer  S widely  publicizes  his  public  key 
in  the  first  place  — once  S signs  a message  he  cannot  later  deny  having  done 
so.  This  aspect  of  digital  signatures  is  crucial  for  situations  where  a recipient 
needs  to  prove  to  a third  party  (say,  a judge)  that  a signer  did  indeed  “certify” 
a particular  message  (e.g.,  a contract);  assuming  S's  public  key  is  known  to 
the  judge,  or  is  otherwise  publicly  available,  a valid  signature  on  a message 
is  enough  to^  convince  the  judge  that  S indeed  signed  this  message.  Message 
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authentication  codes  simply  cannot  provide  this  functionality.  To  see  this, 
say  users  S and  R share  a key  ksR,  and  S sends  a message  m to  R along 
with  a (valid)  MAC  tag  tag  computed  using  ksn-  Since  the  judge  does  not 
know  ksR  (indeed,  this  key  is  kept  secret  by  S and  R),  there  is  no  way  for  the 
judge  to  determine  whether  tag  is  valid  or  not.  If  R were  to  reveal  the  key 
ksR  to  the  judge,  there  would  still  be  no  way  for  the  judge  to  know  whether 
this  is  the  “actual”  key  that  S and  R shared,  or  whether  it  is  some  “fake”  key 
manufactured  by  R.  Even  if  we  assume  the  judge  is  given  the  actual  key  ksR, 
and  can  somehow  be  convinced  of  this  fact,  there  is  no  way  for  R to  prove 
that  it  was  S who  generated  tag  — the  very  fact  that  message  authentication 
codes  are  symmetric  (so  that  anything  S can  do,  R can  also  do)  implies  that 
R could  have  generated  tag  on  its  own,  and  so  there  is  no  way  for  the  judge 
to  distinguish  between  the  actions  of  the  two  parties. 

As  in  the  case  of  private-  vs.  public-key  encryption,  message  authentication 
codes  have  the  advantage  of  being  roughly  2-3  orders  of  magnitude  more 
efficient  than  digital  signatures.  Thus,  in  situations  where  public  verifiability, 
transferability,  and/or  non-repudiation  are  not  needed,  and  the  sender  will 
communicate  primarily  with  a single  recipient  (with  whom  it  is  able  to  share 
a secret  key),  message  authentication  codes  are  preferred. 


Relation  to  Public-Key  Encryption 

Digital  signatures  are  often  mistakenly  viewed  as  the  “inverse”  of  public-key 
encryption,  with  the  roles  of  the  sender  and  receiver  interchanged.  Histori- 
cally, in  fact,  it  has  been  suggested  that  digital  signatures  can  be  obtained  by 
“reversing”  public-key  encryption,  i.e.,  signing  a message  m by  decrypting  it 
(using  the  private  key)  to  obtain  a,  and  verifying  a signature  a by  encrypt- 
ing it  (using  the  corresponding  public  key)  and  checking  whether  the  result 
is  m}  The  suggestion  to  construct  signature  schemes  in  this  way  is  completely 
unfounded:  in  most  cases,  it  is  simply  inapplicable,  and  in  cases  when  it  is 
applicable  it  results  in  signature  schemes  that  are  completely  insecure. 


12.2  Definitions 

As  we  have  noted,  digital  signatures  are  the  public-key  counterpart  of  mes- 
sage authentication  codes.  The  algorithm  that  the  sender  applies  to  a message 
is  now  denoted  Sign  (rather  than  Mac),  and  the  output  of  this  algorithm  is 


^This  view  no  doubt  arises  in  part  because,  as  we  will  see  in  Section  12.3.1,  “textbook  RSA” 
signatures  are  indeed  the  reverse  of  textbook  RSA  encryption.  However,  neither  textbook 
RSA  signatures  nor  textbook  RSA  encryption  meet  even  minimal  notions  of  security. 


424 


now  called  a signature  (rather  than  a tag).  The  algorithm  that  the  receiver 
applies  to  a message  and  a signature  in  order  to  verify  legitimacy  is  again  de- 
noted Vrfy.  We  now  formally  define  the  syntax  of  a digital  signature  scheme. 

DEFINITION  12.1  A signature  scheme  is  a tuple  of  three  probabilistic 
polynomial- time  algorithms  (Gen,  Sign,  Vrfy)  satisfying  the  following: 

1.  The  key-generation  algorithm  Gen  takes  as  input  a security  parameter  1” 
and  outputs  a pair  of  keys  (pk,sk).  These  are  called  the  public  key  and 
the  private  key,  respectively . We  assume  for  convenience  that  pk  and  sk 
each  have  length  at  least  n,  and  that  n can  be  determined  from  pk,sk. 

2.  The  signing  algorithm  Sign  takes  as  input  a private-key  sk  and  a messag^ 
m E {0, 1}*.  It  outputs  a signature  a,  denoted  as  a Signg^(m). 

3.  The  deterministic  verification  algorithm  Vrfy  takes  as  input  a public  key 
pk,  a message  m,  and  a signature  a.  It  outputs  a bit  b,  with  6 = 1 mean- 
ing valid  and  6 = 0 meaning  invalid.  We  write  this  as  6 :=  Vrfyp^(m, cr). 

It  is  required  that  for  every  n,  every  {pk,sk)  output  by  Gen(l”),  and  every 
m E {0, 1}*,  it  holds  that 

Vrfypfc(m,Sign^^(m))  = 1. 

// (Gen,  Sign,  Vrfy)  is  such  that  for  every  (pk,sk)  output  by  Gen(l”),  algo- 
rithm Sign^^  is  only  defined  for  messages  m E {0, {and  Vrfyp^  Outputs  0 
for  m ^ {0, 1}^*^”^),  then  we  say  that  (Gen,  Sign,  Vrfy)  is  a signature  scheme  for 
messages  of  length  £(n). 

We  say  that  cr  is  a valid  signature  on  a message  m (with  respect  to  some 
public  key  pk  that  is  understood  from  the  context)  if  Vrfyp^(m,  cr)  = 1.  We 
remark  that  the  correctness  requirement  in  the  definition  can  be  relaxed  to 
allow  for  a negligible  probability  error  (like  in  Definition  10.1).  Although 
this  is  sometimes  needed  in  concrete  schemes,  we  ignore  this  issue  in  our 
presentation. 

A signature  scheme  is  used  in  the  following  way.  One  party  S,  who  acts  as 
the  sender,  runs  Gen(l”)  to  obtain  keys  {pk,sk).  The  public  key  pk  is  then 
publicized  as  belonging  to  5";  e.g.,  S can  put  the  public  key  on  its  webpage 
or  place  it  in  some  public  directory.  As  in  the  case  of  public-key  encryption, 
we  assume  that  any  other  party  is  able  to  obtain  a legitimate  copy  of  S”s 
public  key  (see  discussion  below).  When  S wants  to  transmit  a message  m, 
it  computes  the  signature  a Sigrig^(m)  and  sends  (m,  cr).  Upon  receipt  of 


^As  in  the  case  of  public-key  encryption,  we  could  also  assume  some  underlying  message 
space  that  may  depend  on  pk.  Except  for  the  textbook  RSA  signature  scheme  (which  is 
anyway  insecure)  all  schemes  in  this  book  will  sign  bit  strisgs. 
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(m,  a),  a receiver  who  knows  pk  can  verify  the  authenticity  of  m by  checking 

whether  Vrfyp^(m,  a)  = 1.  This  establishes  both  that  S sent  m,  and  also  that 
m was  not  modified  in  transit.  As  in  the  case  of  message  authentication  codes, 
however,  it  does  not  say  anything  about  when  m was  sent,  and  replay  attacks 
are  still  possible  (see  Section  4.3). 

The  assumption  that  parties  are  able  to  obtain  a legitimate  copy  of  5”s 
public  key  implies  that  S is  able  to  transmit  at  least  one  message  (namely,  pk 
itself)  in  a reliable  and  authenticated  manner.  Given  this,  one  may  wonder 
why  signature  schemes  are  needed  at  all!  The  point  is  that  reliable  distribution 
of  pk  is  a difficult  task,  but  using  a signature  scheme  means  that  this  need 
only  be  carried  out  once,  after  which  an  unlimited  number  of  messages  can 
subsequently  be  sent  reliably.  Furthermore,  as  we  will  discuss  in  Section  12.8, 
signature  schemes  themselves  are  used  to  ensure  the  reliable  distribution  of 
other  public  keys.  As  we  will  see,  this  is  a central  tool  in  the  “public-key 
infrastructure”  solution  to  the  key  distribution  problem. 

Security  of  signature  schemes.  Given  a public  key  pk  generated  by  a 
signer  S',  we  say  that  an  adversary  outputs  a forgery  if  it  outputs  a message 
m along  with  a valid  signature  a on  m,  and  furthermore  m was  not  previously 
signed  by  S.  As  in  the  case  of  message  authentication,  security  of  a digital 
signature  scheme  means  that  an  adversary  cannot  output  a forgery  even  if  it  is 
allowed  to  obtain  signatures  on  many  other  messages  of  its  choice.  This  is  the 
direct  analogue  of  the  definition  of  security  for  message  authentication  codes, 
and  we  refer  the  reader  to  Section  4.3  for  motivation  and  further  discussion. 

Let  n = (Gen,  Sign,Vrfy)  be  a signature  scheme,  and  consider  the  following 
experiment  for  an  adversary  A and  parameter  n: 

The  signature  experiment  Sig-forge^  jj(n): 

1.  Gen(l"')  is  run  to  obtain  keys  (pk,sk). 

2.  Adversary  A is  given  pk  and  oracle  access  to  Signg^(-).  (This 
oracle  returns  a signature  Signg^(m)  for  any  message  m of  the 
adversary’s  choice.)  The  adversary  then  outputs  (m,a).  Let 
Q denote  the  set  of  messages  whose  signatures  were  requested 
by  A during  its  execution. 

3.  The  output  of  the  experiment  is  defined  to  be  1 if  and  only  if 
(1)  Vrfyp^(m,a)  = 1,  and  (2)  m ^ Q. 

We  now  present  the  definition  of  security,  which  is  essentially  the  same  as 
Definition  4.2  for  message  authentication  codes. 

DEFINITION  12.2  A signature  scheme  II  = (Gen,  Sign,  Vrfy)  is  existen- 
tially unforgeable  under  an  adaptive  chosen-message  attack  if  for  all  probabilis- 
tic polynomial-time  adversaries  A,  there  exists  a negligible  function  negl  such 
that: 


Pr[Sig-forge^  „(n)  = 1]  < negl(n). 
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12.3  RS A Signatures 

We  begin  our  consideration  of  concrete  signature  schemes  with  a discussion 
of  various  schemes  based  on  the  RSA  assumption.  We  warn  , the  reader  that 
none  of  the  schemes  in  this  section  are  known  to  be  secure  (though  a variant 
of  one  of  the  schemes  we  show  here  will  later  be  proven  secure  in  a model 
that  is  discussed  in  detail  in  Chapter  13).  We  introduce  these  schemes  mainly 
to  provide  examples  of  attacks  on  digital  signature  schemes,  as  well  as  to 
provide  some  intuition  as  to  why  constructing  secure  signature  schemes  is 
highly  non-trivial. 


12.3.1  “Textbook  RSA”  and  its  Insecurity 

We  begin  by  introducing  the  “textbook  RSA”  signature  scheme.  We  refer  to 
the  scheme  as  such  since  many  textbooks  describe  RSA  signatures  in  exactly 
this  way  with  no  further  warning.  Unfortunately,  “textbook  RSA”  signatures 
are  insecure  as  we  will  demonstrate  below. 

Let  GenRSA  be  a PPT  algorithm  that,  on  input  1”,  outputs  a modulus 
N that  is  the  product  of  two  n-bit  primes  (except  with  negligible  probabil- 
ity), along  with  integers  e,d  satisfying  ed  = 1 mod  0(A).  Key  generation 
in  the  textbook  RSA  scheme  is  performed  by  simply  running  GenRSA,  and 
outputting  (A,  e)  as  the  public  key  and  (A,  d)  as  the  private  key.  To  sign  a 
message  m .E  the  signer  computes  a :=  [m^  mod  A].  Verification  of  a 

signature  on  a message  m with  respect  to  the  public  key  { A,  e)  is  carried 

? 

out  by  checking  whether  m = mod  A.  See  Construction  12.3. 


CONSTRUCTION  12.3 

Let  GenRSA  be  as  in  the  text.  Define  a signature  scheme  as  follows: 

• Gen:  on  input  1”^  run  GenRSA(l”)  to  obtain  (N,e,d).  The  public 
key  is  (A,  e)  and  the  private  key  is  (A,  d). 

• Sign:  on  input  a private  key  sk  = (A,  d)  and  a message  m G 
compute  the  signature 

a :=  [m‘^  mod  A]. 

• Vrfy:  on  input  a public  key  pk  = (A,  e),  a message  m G and 
a signature  a G Z^,  output  1 if  and  only  if 

m ==  [cr®  mod  A]. 


The  “textbook  RSA”  signature  scheme. 
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It  is  easy  to  see  that  verification  of  a legitimately-generated  signature  is 
always  successful  since 

a®  = (m^)®  = = m mod  N. 

The  textbook  RSA  signature  scheme  is  insecure,  however,  as  the  following 
examples  demonstrate. 

A no-message  attack.  It  is  trivial  to  output  a forgery  for  the  textbook 
RSA  signature  scheme  based  on  the  public  key  alone,  without  even  obtaining 
any  signatures  from  the  legitimate  signer.  The  attack  works  as  follows:  given 
a public  key  pk  = {N,e),  choose  an  arbitrary  a E and  compute  m := 
[cr®  mod  N].  Then  output  the  forgery  (m,  cr).  It  is  immediate  that  cr  is  a 
valid  signature  on  m,.  and  this  is  obviously  a forgery  since  no  signature  on 
m (in  fact,  no  signatures  at  all!)  was  generated  by  the  owner  of  the  public 
key.  We  conclude  that  the  textbook  RSA  signature  scheme  does  not  satisfy 
Definition  12.2. 

One  may  argue  that  this  does  not  constitute  a “realistic”  attack  since  the 
adversary  has  “no  control”  over  the  message  m for  which  it  forges  a valid 
signature.  Of  course,  this  is  irrelevant  as  far  as  Definition  12.2  is  concerned, 
and  we  have  already  discussed  (in  Chapter  4)  why  it  is  dangerous  to  assume 
any  semantics  for  messages  that  are  going  to  be  authenticated  using  any 
cryptographic  scheme.  Moreover,  the  adversary  does  have  some  control  over 
m:  for  example,  by  choosing  multiple  random  values  of  a it  can  (with  high 
probability)  obtain  an  m with  certain  bits  set  in  any  desired  way.  Or,  by 
choosing  a in  some  structured  manner,  rather  than  at  random,  it  may  also  be 
possible  to  influence  the  message  for  which  a forgery  can  be  output. 

Forging  a signature  on  an  arbitrary  message.  A more  damaging  attack 
on  the  textbook  RSA  signature  scheme  requires  the  adversary  to  obtain  two 
signatures  from  the  signer,  but  allows  the  adversary  to  output  a forgery  on 
any  message  of  the  adversary’s  choice.  Say  the  adversary  wants  to  forge  a 
signature  on  the  message  m E Z^  with  respect  to  the  public  key  pk  = {N,  e). 
The  adversary  chooses  a random  mi  E Z^,  sets  m2  :=  [m/mi  mod  N],  and 
then  obtains  signatures  cri  and  ct2  on  mi  and  m2,  respectively.  We  claim  that 
a :=  [cTi  • (72  mod  N]  is  a valid  signature  on  m.  This  is  because 

(7®  = ((7i  • (72)®  = (mi  • m2)®  = ml^  ■ m^*^  = m\m2  = m mod  N, 

using  the  fact  that  cri,  (72  are  valid  signatures  on  mi,  m2.  This  constitutes  a 
forgery  since  m is  not  equal  to  mi  or  m2  (except  with  negligible  probability). 

Being  able  to  forge  a signature  on  an  arbitrary  message  is  clearly  devas- 
tating. Nevertheless,  one  might  argue  that  this  attack  is  unrealistic  since  an 
adversary  will  never  be  able  to  convince  a signer  to  sign  the  exact  messages 
mi  and  m2  as  needed  for  the  above  attack.  Once  again,  this  is  irrelevant  as  far 
as  Definition  12.2  is  concerned.  Furthermore,  it  is  dangerous  to  make  assump- 
tions about  what  messages  the  signer  will  or  will  not  be  willing  to  sign.  For 
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example,  signing  may  be  used  as  a method  of  authentication  whereby  a client 
proves  its  identity  by  signing  a random  value  sent  by  a server.  A malicious 
server  could  then  obtain  a signature  on  any  message(s)  of  its  choice.  It  may 
also  be  possible  for  the  adversary  to  choose  mi  in  a particular  way  (rather 
than  at  random)  in  order  to  make  m2  a “legitimate”  message  that  the  signer 
will  sign.  Note  also  that  the  attack  can  be  generalized;  if  an  adversary  obtains 
valid  signatures  on  some  q arbitrary  messages  M = {mi, . . . , rrig},  then  the 
adversary  can  output  a forgery  for  any  oi  2^  — q — 1 messages  obtained  by 
taking  products  of  subsets  of  M (of  size  greater  than  1). 

12.3.2  Hashed  RSA 

Numerous  modifications  of  the  textbook  RSA  signature  scheme  have  been 
proposed  in  an  effort  to  prevent  the  attacks  described  in  the  previous  section. 
Most  of  these  proposals  have  not  been  proven  secure,  and  should  not  be 
used.  Nevertheless,  we  show  one  such  example  here  (another  example  is  given 
in  Exercise  12.4).  This  example  serves  as  an  illustration  of  a more  general 
paradigm  that  will  be  explored  in  the  following  section,  and  can  be  proven 
secure  in  an  “idealized”  model  that  will  be  described  in  detail  in  Chapter  13. 

The  basic  idea  is  to  modify  the  textbook  RSA  signature  scheme  by  applying 
some  function  H to  the  message  before  signing  it.  That  is,  the  public  and 
private  keys  are  the  same  as  before  except  that  a description  of  some  function 
H : {0,1}*  ^ is  now  included  as  part  of  the  public  key.  A message 

m e (0,  1}*  is  signed  by  computing 

<7  :=  mod  N]. 

(That  is,  m ;=  H{m)  is  first  computed,  followed  by  a :=  [m'^  mod  AT].)  Veri- 
fication of  the  pair  (m,  a)  is  carried  out  by  checking  whether 

O'®  = H{m)  mod  N. 

Clearly,  verification  of  a legitimately-generated  signature  will  always  succeed. 

An  immediate  observation  is  that  a minimal  requirement  for  the  above 
scheme  to  be  secure  is  that  H must  be  collision-resistant  (see  Section  4.6): 
if  it  is  not,  and  an  adversary  can  find  two  different  messages  mi,  m2  with 
H{m\)  = H{m2),  then  forgery  is  trivial.  (Note,  however,  that  H need  not  be 
compressing.)  Since  TT  must  be  a collision-resistant  hash  function,  this  mod- 
ified scheme  described  is  sometimes  called  the  hashed  RSA  signature  scheme.. 

There  is  no  known  function  H for  which  hashed  RSA  signatures  are  known 
to  be  secure  in  the  sense  of  Definition  12.2.  Nevertheless,  we  can  at  least 
describe  the  intuition  as  to  why  the  attacks  shown  on  the  textbook  RSA 
signature  scheme  in  the  previous  section  are  likely  to  be  more  difficult  to 
carry  out  against  the  hashed  RSA  signature  scheme. 
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The  no-message  attack.  The  natural  way  to  attempt  the  no-message  attack 
shown  previously  is  to  choose  an  arbitrary  a G compute  m :=  [a®  mod  N], 
and  then  try  to  find  some  m G {0, 1}*  such  that  H{m)  = m.  If  the  function 
H is  not  efficiently  invertible  this  appears  difficult  to  do. 

Forging  a signature  on  an  arbitrary  message.  The  natural  way  to 
attempt  the  chosen-message  attack  shown  previously  requires  the  adversary 
to  find  three  messages  m,  mi,  m2  for  which  H{m)  = [i^(mi)  - H{m2)  mod  N], 
Once  again,  if  H is  not  efficiently  invertible  this  seems  difficult  to  do. 

Security  of  hashed  RSA.  Variants  of  hashed  RSA  are  used  in  practice.  It 
is  possible  to  prove  the  security  of  hashed  RSA  in  an  idealized  model  where  H 
is  a truly  random  function.  Although  H is  clearly  not  random  (because  H \s  a. 
concrete,  deterministic  function),  this  provides  a heuristic  justification  of  the 
scheme  when  H \s  a.  “random-looking”  cryptographic  hash  function  such  as 
SHA-1.  See  Chapter  13  for  further  discussion  regarding  the  idealized  model 
just  mentioned,  and  the  meaning  of  security  proofs  in  this  model. 


12.4  The  “Hash-and-Sign”  Paradigm 

The  hashed  RSA  signature  scheme  can  be  viewed  as  an  attempt  to  prevent 
certain  attacks  on  the  textbook  RSA  signature  scheme.  The  success  of  this 
approach  is  mixed,  as  discussed  above.  We  may  note,  however,  that  hashed 
RSA  offers  another  advantage  relative  to  textbook  RSA:  it  can  be  used  to  sign 
arbitrary-length  hit- strings^  rather  than  just  elements  of  Z^.  This  feature  is 
useful  in  general,  and  the  approach  of  hashing  a message  and  then  signing  the 
result  (using  an  underlying  signature  scheme  that  is  secure)  is  a standard  way 
to  achieve  it.  We  study  the  security  of  this  approach  now. 

. Let  n = (Geri5, Sign,  Vrfy)  be  a signature  scheme  for  messages  of  length 
t{n)  = n.  (Everything  that  follows  can  be  modified  appropriately  for  an 
arbitrary  as  long  as  it  is  super- logarithmic  in  n.)  Let  Hh  = (Gen/f,il) 
be  a hash  function  as  per  Definition  4.11,  where  the  output  oi  H , on  se- 
curity parameter  1”,  has  length  n.  We  construct  a signature  scheme  II'  = 
(Gen',  Sign',  Vrfy^)  for  arbitrary-length  messages  as  follows:  Gen'(l”)  computes 
{pk,sk)  ■«—  Gen5(l”)  and  s ■«—  Gen/f(l”),  and  sets  the  public  key  equal  to 
{pk,  s)  and  the  private  key  equal  to  (s/c,  s).  To  sign  the  message  m G {0, 1}*, 
the  signer  simply  computes  a ■«—  Signg^(iL®(m)).  Verification  is  performed  by 

7 

checking  that  Vrfyp;.(iL®(m), cr)  = 1.  See  Construction  12.4.  Note  that  the 
hashed  RSA  signature  scheme  is  indeed  constructed  from  the  textbook  RSA 
signature  scheme  using  exactly  this  approach  (of  course,  the  theorem  below 
does  not  apply  in  that  case  because  textbook  RSA  signatures  are  insecure). 
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CONSTRUCTION  12.4 

Let  n = (Gens,  Sign,  Vrfy)  and  Hh  = {Genn^H)  be  as  in  the  text.  Con- 
struct a signature  scheme  II'  for  arbitrary-length  messages  as  follows: 

• Gen':  on  input  1”,  run  Gens(l”)  to  obtain  (pk,sk),  and  run 
Gen/fCl”)  to  obtain  s.  The  public  key  is  pk'  = {pk,s)  and  the 
private  key  is  sk'  = {sk,  s). 

• Sign':  on  input  a private  key  (sk,  s)  and  a message  m G {0,  1}*, 
compute  o'  •«— 

• Vrfy':  on  input  a public  key  (pk,s),  a message  m G {0,  1}*,  and  a 

7 

signature  a,  output  1 if  and  only  if  o)  = 1. 

The  hash-and-sign  paradigm. 

THEOREM  12.5  If  H is  existentially  unforgeable  under  an  adaptive 
chosen-message  attack  and  Hh  is  collision  resistant,  then  Construction  12.4- 
is  existentially  unforgeable  under  an  adaptive  chosen-message  attack. 


PROOF  The  idea  behind  the  proof  is  that  a forgery  must  involve  either 
finding  a collision  in  H or  forging  a signature  with  respect  to  the  fixed-length 
signature  scheme  II.  This  intuition  was  described  immediately  following  The- 
orem 4.16  in  Section  4.7,  so  we  proceed  directly  to  the  formal  proof  here. 

Let  A'  be  a probabilistic  polynomial-time  adversary  attacking  11'.  In  an 
execution  of  experiment  Sig-forge^/_n/(n),  let  pk'  = (pk,s)  denote  the  public 
key  used,  let  Q denote  the  set  of  messages  whose  signatures  were  requested 
by  A! , and  let  (m,a)  be  the  final  output  of  A' . We  assume  without  loss,  of 
generality  that  m ^ Q.  Define  coll^/_n'(^)  fo  be  the  event  that,  in  experiment 
Sig-forge^,  there  exists  an  m'  G Q for  which 

We  have 

Pr[Sig-forge^,^n'(^)  = 1] 

= Pr[Sig-forge^,_n'(^)  = 1 A colU/,n'(^)] 

-H  Pr[Sig-forge^,  n'(^)  = 1 A colU,n'(^)] 

< Pr[colU',n'(^)]  + Pr[Sig-forge^/ n'W  = 1 A colU_^'(7^)]•  (12-1) 

We  show  that  both  terms  in  Equation  (12.1)  are  negligible,  which  completes 
the  proof.  Intuitively,  the  first  term  is  negligible  by  the  collision  resistance  of 
Rh,  and  the  second  term  is  negligible  by  the  security  of  II.  (In  order  to  see 
why  the  security  of  II  implies  that  the  second  term  is  negligible,  notice  that 
when  coll_4  n'(^)  occurs,  H^{m)  A for  every  m'  G Q.  This  implies 

that  a successful  forgery  (m,  a)  by  Al  with  respect  to  II'  yields  a successful 
forgery  (H^{m),a)  with  respect  to  II.  By  the  security  of  II,  this  must  occur 
with  negligible  probability.)  We  begin  by  proving  the  first  term. 
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Consider  the  following  PPT  algorithm  C for  finding  a collision  in  II//: 
Algorithm  C: 

The  algorithm  is  given  s as  input  (with  n implicit). 

• Compute  Geri5(l”)  to  obtain  (pk,sk).  Set  pk'  = (pk,s). 

• Run  A'  on  input  pk'.  When  A'  requests  the  ith  signature  on 

some  message  rui  G {0, 1}*,  compute  <7*  {mi)) 

and  give  ai  to  A'. 

• Eventually,  A'  outputs  If  there  exists  an  i for  which 

H^{m)  = output 

Let  us  analyze  the  behavior  of  C.  When  the  input  to  C is  generated  by 
running  Gen //(I”)  to  obtain  s,  the  view  of  A'  when  run  as  a subroutine  by 
C is  distributed  identically  to  the  view  of  A'  in  experiment  Sig-forge^/  n/(n). 
Since  C outputs  a collision  exactly  when  coll_4',n'(^)  occurs,  we  have 

Pr[Hash-collc,iij^(n)  = 1]  = Pr[colU/,n'(n)]. 

Since  11//  is  collision  resistant,  we  conclude  that  Pr[coll^'^n' (^)]  is  negligible. 

We  now  proceed  to  prove  that  the  second  term  in  Equation  (12.1)  is  negli- 
gible. Consider  the  following  PPT  adversary  A attacking  signature  scheme  II: 

Adversary  A: 

The  adversary  is  given  as  input  a public  key  pk  (with  n implicit), 
and  has  access  to  a signing  oracle  Sigrig^(-). 

• Compute  Gen//(1”)  to  obtain  s,  and  set  pk'  = {pk,  s). 

• Run  A'  on  iripiit  pA:' . When  A'  requests  the  zth  signature.on.  . . 
a message  mi  e {0, 1}“^,  this  is  answered  as  follows:  (l)  com- 
pute ifii  :=  H^{mi)\  then  (2)  obtain  a signature  on  rhi 
from  the  signing  oracle,  and  give  ai  to  A'. 

• Eventually,  A'  outputs  (m,a).  Output  {H^{m),a). 

Consider  experiment  Sig-forge^  n(n).  In  this  experiment,  the  view  of  A' 
when  run  as  a subroutine  by  A is  distribrited  exactly  as  its  view  in  experiment 
Sig-forge^/  n/(n).  Furthermore,  it  can  be  easily  verified  that  whenever  both 
Sig-forge^/  n/(n)  = 1 and  coll_4^n'(n)  occur,  A outputs  a forgery.  (It  is  clear 
that  O'  is  a valid  signature  on  H^{m)  with  respect  to  pk.  The  fact  that 
coll_4^n'(^)  occurs  means  that  m = H^{m)  was  never  asked  by  A to  its  own 
signing  oracle  and  so  m ^ Q.)  Therefore, 

Pr[Sig-forge^^nH  = 1]  = Pr[Sig-forge^,  n'(^)  A colU,n'(n)], 


and  security  of  II  implies  that  the  latter  probability  is  negligible.  This  con- 
cludes the  proof  of  the  theorem.  | 
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An  analogue  of  Theorem  12.5  holds  for  the  case  of  message  authentication 
codes,  and  gives  an  alternative  to  Theorem  4.6  for  constructing  variable-length 
MACs  from  fixed-length  MACs  (albeit  under  the  additional  assumption  that 
collision- resist  ant  hash  functions  exist,  which  is  not  needed  for  Theorem  4.6). 
As  noted  in  Section  4.7,  this  “hash-and-MAC”  approach  is  the  basis  for  the 
security  of  NMAC  and  HMAC. 


12.5  Lamport’s  One-Time  Signature  Scheme 

Although  Definition  12.2  is  the  standard  definition,  of  security  for  digital 
signature  schemes,  weaker  definitions  have  also  been  considered.  Signature 
schemes  satisfying  these  weaker  definitions  may  be  appropriate  for  certain 
restricted  applications,  and  may  also  serve  as  useful  “building  blocks”  for 
signature  schemes  satisfying  stronger  notions  of  security,  as  we  will  see  in  the 
following  section. 

In  this  section,  we  define  one-time  signature  schemes  which,  informally,  are 
“secure”  as  long  as  they  are  used  to  sign  only  a single  message.  We  then  show 
a construction,  due  to  Lamport,  of  a one-time  signature  scheme  based  on  any 
one-way  function.  We  begin  with  the  definition.  Let  II  = (Gen,  Sign,  Vrfy)  be 
a signature  scheme,  and  consider  the  following  experiment  for  an  adversary 
A and  parameter  n: 

The  one-time  signature  experiment  Sig-forge^^^®(n): 

1.  Gen(l”')  is  run  to  obtain  keys  (pk,sk). 

2.  Adversary  A is  given  pk  and  asks  a single  query  m'  to  oracle 
Signs^(-).  A then  outputs  {m,a)  where  m ^ m' . 

3.  The  output  of  the  experiment  is  defined  to  be  1 if  and  only  if 
Vrfypfc(m,a)  = 1. 

DEFINITION  12.6  A signature  scheme  II  = (Gen, Sign, Vrfy)  is  exis- 
tentially unforgeable  under  a single-message  attack,  or  is  a one-time  signature 
scheme,  if  for  all  probabilistic  polynomial- time  adversaries  A,  there  exists  a 
negligible  function  negl  such  that: 

Pr[Sig-forge^J{!^®(n)  = 1]  < negl(n). 

The  basic  Idea  of  Lamport’s  signature  scheme  is  simple,  and  we  illustrate 
it  for  the  case  of  signing  a 3-bit  message.  Let  / be  a one-way  function.  Recall 
this  means  / is  easy  to  compute  but  hard  to  invert;  see  Definition  7.66.  The 
public  key  consists  of  6 elements  yifi,  yi,i,^y2,o,  y2,i,  2/3, o,  2/3,1  in  the  range 
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FIGURE  12.1:  The  Lamport  scheme  used  to  sign  the  message  m = Oil. 

of  /;  the  private  key  contains  the  corresponding  pre-images  xi^o,  X2,o^ 

a^2,i5  2:3,0,  2:3,1-  These  keys  can  be  visualized  as  two-dimensional  arrays: 

pk=  ( ^1,0  2/2,0  2/3,0  \ sj^  = ( ^1,0  X2,o  2:3,0  \ 

V2/i,i  2/2,1  2/3,1/  V^hi  2:2,1  2:3,17' 

To  sign  a message  m = mi  • m2  • m3,  where  each  m^  is  a single  bit,  the  signer 
releases  the  appropriate  pre-image  for  1 < i < 3;  the  signature  a simply 
consists  of  the  three  values  (xi,mi , 2:2,m2, 2:3,m3)-  Verification  is  carried  out  in 
the  natural  way:  presented  with  the  candidate  signature  (xi,X2,X3)  on  the 

7 

message  m = mi  • m2  • m3,  accept  if  and  only  if  f{xi)  = 2/i,mi  for  1 < z < 3. 
This  is  shown  graphically  in  Figure  12.1.  The  general  case  for  an  arbitrary 
length  £ is  described  formally  in  Construction  12.7. 


CONSTRUCTION  12.7 

Let  / be  a one-way  function.  Construct  a signature  scheme  for  messages 
of  length  £ = £{n)  as  follows: 

• Gen:  on  input  1*^,  proceed  as  follows  for  i G {1, . . . ,£}: 

1.  Choose  random  Xi,o,Xi^i  -f—  {o,ir- 

2.  Compete  yi,o  :=  f{xi,o)  and  yi,i  :=  f{xi,i). 

The  public  key  pk  and  the  private  key  sk  are 


/ yi,o  y2,o  •••  ye,o\  f xi,o  2:2,0  •••  2:^,0 \ 

V 2/1,1  2/2,1  •••  2/^,1/  ’ V 2:1,1  2:2,1  •••  2:^,1  / 


• Sign:  on  input  a private  key  sk  as  above  and  a message  m G {0, 1}^ 
with  m = mi  • • • me,  output  the  signature  (2:1, mi , • • • , xe^rng)- 

• Vrfy:  on  input  a public  key  pk  as  above,  a message  m G {0, 1}^ 
with  m — mi  • • • me,  and  a signature  a = (2:1, . . . ,xe),  output  1 if 
and  only  if  f{xi) yi,mi  for  all  1 < i < £. 
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THEOREM  12.8  Let£  be  any  polynomial.  If  f is  a one-way  function,  then 
Construction  12.7  is  a one-time  signature  scheme  for  messages  of  length  £. 


PROOF  We  let  i = £{n)  for  the  rest  of  the  proof.  As  intuition  for  the 
security  of  the  scheme,  note  that  for  an  adversary  given  public  key  pk  = 

2/1,0  2/2,0  2/^,0  I finding  an  x such  that  f{x)  = 2/i*  fa*  for  any  (i*,b*) 

amounts  to  inverting  /.  So  it  will  certainly  be  hard  to  compute  a signature  on 
any  message  m given  only  the  public  key.  What  about  computing  a signature 
on  some  message  m after  being  given  a signature  on  a different  message  m'?  If 
m'  ^ m then  there  must  be  at  least  one  position  on  which  these  messages 
differ.  Say  m^*  — b*  ^ Tn'i*-  Then  forging  a signature  on  m requires,  in 
particular,  finding  an  x such  that  f{x)  = 2/i*,fa*-  But, finding  such  an  x does 
not  become  any  easier  even  when  given  {xi^b}  for  all  (i,  b)  ^ {i* , b*)  (since  the 
values  are  all  chosen  independently  of  Xi*^b*),  and  a signature 

on  m'  reveals  even  fewer  “a: -values”  than  these. 

We  now  turn  this  intuition  into  a formal  proof.  Let  II  denote  the  Lamport 
scheme.  Let  ^ be  a probabilistic  polynomial-time  adversary,  and  define 


£{n)  = Pr[Sig-forgeXT^(n)  = 1]. 

In  a particular  execution  of  Sig-forgei'4*^®(n),  let  m'  denote  the  message,  whose 
signature  is  requested  by  A (we  assume  without  loss  of  generality  that  A 
always  requests  a signature  on  a message),  and  let  (m,a)  denote  the  final 
output  of  A.  We  say  that  A output  a forgery  at  {i,  b)  if  Vrfypfc(m,  cr)  = 1 and 
furthermore  m{  ^ (i.e.,  messages  m and  m'  differ  on  their  zth  position) 

and  mi  = b ^ m'^.  Note  that  whenever  A outputs  a forgery,  it  outputs  a 
forgery  at  some  (i,b). 

Consider  the  following  PPT  algorithm  Z attempting  to  invert  the  one-way 
function  /: 


Algorithm  X: 

The  algorithm  is  given  y and  1”  as  input. 

1.  Choose  random  i*  {1, . . . ,^}  and  b*  <—  {0, 1}.  Set  2/i*,fa*  -=  2/- 

2.  For  all  i G {1,  ■■■,£}  and  b G {0, 1}  with  {i,  b)  ^ {i*,  b*): 

• Choose  Xi^b  •«—  {0, 1}”  and  set  2/i,fa  •—  /(a:i,fa)- 


3. 

4. 


Run  A on  input  pk  := 


/ 2/1,0  2/2,0 

V 2/1,1  2/2,1 


2/^,0  \ 
2/^,1  y 


When  A requests  a signature  on  the  message  m': 


• If  mj,  = 6*,  stop. 

• Otherwise,  return  the  correct  signature  a = {x\^rn\ 
5.  When  A outputs  (m,  cr)  with  a = {x\ , . . . , Xp)‘. 

• If  A output  a forgery  at  {i* ,b*),  then  output  xi* . 


Digital  Signature  Schemes 


435 


Whenever  A outputs  a forgery  at  (z*,  6*),  algorithm  X succeeds  in  inverting 
its  given  input  y.  We  are  interested  in  the  probability  that  this  occurs  when 
the  input  to  X is  generated  by  choosing  a random  x {0, 1}^  and  setting 
y ;=  f{x)  (cf.  Definition  7.66).  Imagine  a “mental  experiment”  in  which  X is 
given  X at  the  outset,  sets  ■=  x,  and  then  always  returns  a signature 

to  ^ in  step  4 (i.e.,  even  if  = b*).  It  is  not  hard  to  see  that  the  view 
of  A being  run  as  a subroutine  by  X in  this  mental  experiment  is  distributed 
identically  to  the  view  of  A in  experiment  Sig-forge^^^®(n).  Therefore,  the 
probability  that  A outputs  a forgery  in  step  5 is  exactly  e{n).  Because  (i*,b*) 
was  chosen  at  random  at  the  beginning  of  the  experiment,  and  the  view  of 
A is  independent  of  this  choice,  the  probability  that  A outputs  a forgery  at 
(i*,b*),  conditioned  on  the  fact  that  A outputs  a forgery  at  all,  is  at  least 
l/2i{n).  (This  is  because  a signature  forgery  implies  a forgery  for  at  least  one 
point  (i,b).  Since  there  are  2i{n)  points,  the  probability  of  the  forgery  being 
at-(i^,6*)  is  at  least  l/2^(n).)  We  conclude  that,  in  this  mental  experiment, 
fth.e  probability  that  A outputs  a forgery  at  (z*,  6*)  is  at  least  e{n)/2i{n). 
i Returning  to  the  real  experiment  involving  X as  initially  described,  the 
'key  observation  is  that  the  probability  that  A outputs  a forgery  at  {i*,b*)  is 
wtchanged.  This  is  because  the  mental  experiment  and  the  real  experiment 
coincide  if  A outputs  a forgery  at  (i*,b*).  That  is,  the  experiments  only  differ 
if  A requests  a signature  on  a message  m'  with  mj,  = 6*;  but  if  this  happens 
then  it  is  impossible  (by  definition)  for  A to  subsequently  output  a forgery  at 
(i*,  6*).  So,  in  the  real  experiment,  the  probability  that  A outputs  a forgery 
at  (z*,6*)  is  still  at  least  e{n)/2(.{n).  We  thus. have: 

Pr[lnvertij(n)  = 1]  > e{n)/2(,{n). 

Because  / is  a one-way  function,  there  is  a negligible  function  negl  such  that 
. Pr[lnvert2:,/(n)  = 1]  < negl(n).  _ 

This  implies  that  e{n)/2(,{n)  < negl(n),  and  since  I is  polynomial,  that  s:(n) 
itself  is  negligible.  This  completes  the  proof.  | 


COROLLARY  12.9  If  one-way  functions  exist,  then  for  any  polynomial 
i there  exists  a one-time  signature  scheme  for  messages  of  length  I. 


12.6  * Signatures  from  Collision-Resistant  Hashing 

We  have  not  yet  seen  any  signature  scheme  that  is  existentially  unforgeable 
under  an  adaptive  chosen-message  attack  (cf.  Definition  12.2).  Here  we  show 
a relatively  inefficient  construction  that  is  essentially  the  simplest  one  known 
based  on  any  of  the  cryptographic  assumptions  we  have  introduced  thus  far. 
The  construction  relies  on  the  existence  of  collision-resistant  hash  functions, 
and  serves  mainly  as  a proof  of  feasibility  for  realizing  Definition  12.2. 
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We  remark  that  signature  schemes  satisfying  Definition  12.2  are,  in  general, 
quite  difficult  to  construct,  and  even  today  only  a few  efficient  schemes  that 
can  be  proven  to  satisfy  this  definition  are  known.  In  Chapter  13,  we  will 
discuss  a very  efficient  signature  scheme  that  can  be  proven  secure  in  a certain 
“idealized”  model  that  is  introduced  and  discussed  extensively  there.  The 
development  of  other  efficient  signature  schemes  that  can  be  proven  secure 
in  the  “standard”  model  we  have  been  using  until  now  is  an  area  of  active 
research  today. 

We  build  up  to  our  final  construction  in  stages.  In  Section  12.6.1  we  de- 
fine the  notion  of  a stateful  signature  scheme,  where  the  signer  updates  its 
private  key  after  each  signature,  and  show  how  to  construct  a stateful  sig- 
nature scheme  that  satisfies  Definition  12.2.  In  Section  12.6.2  we  discuss  a 
more  efficient  variant  of  this  scheme  (that  is  still  stateful)  and  show  that  this, 
too,  is  existentially  unforgeable  under  an  adaptive  chosen- message  attack.  We 
then  describe  how  this  construction  can  be  made  stateless,  so  as  to  recover  a 
signature  scheme  as  originally  defined. 

/ 

12.6.1  “Chain-Based”  Signatures 

We  first  define  signature  schemes  that  allow  the  signer  to  maintain  some 
state  that  is  updated  after  every  signature  is  produced. 

DEFINITION  12.10  A stateful  signature  scheme  is  a tuple  of  probabilistic 
polynomial-time  algorithms  (Gen,  Sign,  Vrfy)  satisfying  the  following: 

1.  The  key-generation  algorithm  Gen  takes  as  input  a security  parameter 
1'^  and  outputs  (pk,  sk,  sq).  These  are  called  the  public  key,  private  key, 
and  Initial  state,  respectively.  We  assume  pk  and  sk  each  have  length  at 
least  n,  and  that  n can  be  determined  from  pk,  sk. 

2.  The  signing  algorithm  Sign  takes  as  input  a private  key  sk,  a value  Si_i, 
and  a message  m £ {0, 1}*.  It  outputs  a signature  a and  a value  Si. 

3.  The  deterministic  verification  algorithm  Vrfy  takes  as  input  a public  key 
pk,  a message  m,  and  a signature  a.  It  outputs  a bit  b. 

We  require  that  for  every  n,  every  {pk,  sk,  sq)  output  by  Gen(l’^),  and  any 
messages  G {0,1}*,  if  we  compute  {(Ji,Si)  ^ Sign^^  (m*)  re- 

cursively for  i G {1, . . . ,1} , then  for  every  i G {!,...,£}, 

Vrfypfc(mi,cTi)  = 1. 

// (Gen,  Sign,  Vrfy)  is  such  that  for  every  (pk,sk)  output  by  Gen(l”^),  algo- 
rithm Sign^fc  is  only  defined  for  messages  m G (0,  {and  Vrfy^^  outputs  0 

for  m ^ {0, 1}^*^”^^),  then  we  say  (Gen,  Sign,  Vrfy)  is  a stateful  signature  scheme 
for  messages  of  length  £{n). 
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We  emphasize  that  the  state  is  not  needed  to  verify  a signature  (in  fact, 
depending  on  the  scheme,  the  state  may  need  to  be  kept  secret  in  order  for 
security  to  hold).  Signature  schemes  which  do  not  maintain  state  are  called 
stateless  to  distinguish  them  from  stateful  schemes.  Clearly,  stateless  schemes 
are  preferable  (although  stateful  schemes  can  still  potentially  be  useful).  Nev- 
ertheless, as  mentioned,  our  aim  in  introducing  stateful  signatures  is  as  a 
stepping  stone  to  a full  stateless  construction. 

Existential  unforgeability  under  an  adaptive  chosen-message  attack  for  the 
case  of  stateful  signatures  schemes  is  defined  in  a manner  exactly  analogous 
to  Definition  12.2,  with  the  only  subtleties  being  that  the  signing  oracle  only 
returns  the  signature  (and  not  the  state),  and  the  signing  oracle  updates  the 
state  appropriately  each  time  it  is  invoked. 

We  can  easily  construct  a stateful  “^-time”  signature  scheme  that  can  sign 
I = £{n)  messages  for  any  polynomial  (The  notion  of  security  here  would 
be  analogous  to  the  definition  of  one-time  signatures  given  earlier;  we  do 
not  give  a formal  definition  since  our  discussion  here  is  only  informal.)  Such  a 
construction  works  by  simply  letting  the  public  key  consist  of  I independently- 
generated  public  keys  for  any  one-time  signature  scheme,  with  the  private  key 
similarly  constructed;  i.e.,  set  pk  :=  {pk\^ . . . ^pki)  and  sk  :=  {sk\^ . . . , sk^) 
where  each  (pki,ski)  is  an  independently-generated  key-pair  for  some  one- 
time signature  scheme.  The  state  is  a counter  initially  set  to  1.  To  sign  a 
message  m using  the  private  key  sk  and  current  state  s < £,  simply  output 
a Sigrig^^.^  (m)  (that  is,  generate  a one-time  signature  on  m using  the  private 
key  skg ) and  update  the  state  to  s -|-  1 . Since  the  initial  state  starts  at  1 , this 
means  the  zth  message  is  signed  using  ski  ■ Verification  of  a signature  a on  a 
message  m can  be  done  by  checking  whether  a is  a valid  signature  on  m with 
respect  to  any  of  the  {pki}. 

Intuitively,  this  scheme,  is  secure  if  used  to  sign  ^ messages  since  each  pri- 
vate key  is  used  to  sign  only  a.  single  message.  Since  £ may  be  an  arbitrary 
polynomial,  why  doesn’t  this  give  us  the  solution  we  are  looking  for?  The 
main  drawback  is  that  the  scheme  requires  the  upper  bound  I on  the  number 
of  messages  that  can  be  signed  to  be  fixed  in  advance,  at  the  time  of  key  gen- 
eration. (In  particular,  the  scheme  does  not  satisfy  Definition  12.2.)  This  is 
a potentially  severe  limitation  since  once  the  upper  bound  is  reached  a new 
public  key  would  have  to  be  generated  and  distributed.  We  would  like  instead 
to  have  a single,  fixed  scheme  that  can  support  signing  an  unbounded  number 
of  messages.  Another  drawback  of  the  scheme  is  the  fact  that  it  is  not  very 
efficient,  since  the  public  and  private  keys  have  length  that  is  linear  in  the 
total  number  of  messages  that  can  be  signed. 

Let  n = (Gen,  Sign,  Vrfy)  be  a one-time  signature  scheme.  In  the  scheme  we 
have  just  described,  the  signer  runs  £ invocations  of  Gen  to  obtain  public  keys 
pki , . . . ,pk^,  and  includes  each  of  these  in  its  actual  public  key  pk.  The  signer 
is  then  restricted  to  signing  at  most  i messages.  We  can  do  better  by  using 
a “chain-based  scheme”  in  which  the  signer  generates  and  certifies  additional 
public  keys  on-the-fly  as  needed. 
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FIGURE  12.2:  Chain-based  signatures:  the  situation  before  arid  after 

signing  the  third  message  m3. 


In  the  chain-based  scheme,  the  public  key  consists  of  just  a single  public 
key  pk\  generated  using  Gen,  and  the  private  key  contains  the  associated 
private  key  sk\.  To  sign  the  first  message  mi,  the  signer  first  generates  a 
new  key-pair  {pk2,sk2)  using  Gen,  and  then  signs  both  mi  and  pk2  using 
ski  to  obtain  cti  Sign^^r,^  (mi  ||pA:2)-  The  signature  that  is  output  includes 
both  pk2  and  ai,  and  the  signer  adds  (mi,pk2,  sk2,(Ji)  to  its  current  state.  In 
general,  when  it  comes  time  to  sign  the  ith  message  the  signer  will  have  stored 
{(m^, pfcj-i-i,  sfcj-i-i,  (7j)}*~i  as  part  of  its  state.  To  sign  the  zth  message  mj, 
the  signer  first  generates  a new  key-pair  {pkij^i,  skij^i)  using  Gen,  and  then, 
signs  rrii  and  pfci+i  using  ski  to  obtain  a signature  Sign^^r,.  (mj||pA;j-|-i). 

The  actual  signature  that  is  output  includes  pfej+i,  ai,  and  also  the  values 
{mj,pA;j-|-i, The  signer  then  adds  {mi,pki-\.i,skij^i,ai)  to  its  state. 
See  Figure  12.2  for  a graphical  depiction  of  this  process. 

To  verify  a signature  {pki+i,ai,  {m^, p/cj+i,  on  a message  m — rrii , 

with  respect  to  public  key  pk\,  the  receiver  verifies  each  link  between  the 

public  key  pkj  and  the  next  public  key  pfcj+i  in  the  chain,  as  well  as  the  link 

between  the  last  public  key  p/cj+i  and  m.  That  is,  the  verification  procedure 

?. 

outputs  1 if  and  only  if  Vrfypyr,^.  (mj  \\pkj+i,  aj)  = 1 for  all  G {1, . . . , z}.  (Refer 
to  Figure  12.2.)  Observe  that  this  verification  begins  from  the  public  key  pki 
that  was  initially  distributed. 

It  is  not  hard  to  be  convinced  — at  least  on  an  intuitive  level  — that  a sig- 
nature scheme  thus  constructed  is  existentially  unforgeable  under  an  adaptive 
chosen- message  attack  (regardless  of  how  many  messages  are  signed).  Infor- 
mally, this  is  once  again  due  to  the  fact  that  each  key-pair  {pki,  ski)  is  used  to 
sign  only  a single  “message”  (where  in  this  case  the  “message”  is  actually  a 
message/public-key  pair  mi||pA;j-|_i).  Since  we  are  going  to  prove  the  security 
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of  a more  efficient  scheme  in  the  next  section,  we  do  not  give  a formal  proof 
of  security  for  the  chain-based  scheme  here. 

In  the  chain-based  scheme,  each  public  key  pki  is  used  to  sign  both  a mes- 
sage and  another  public  key.  Thus,  it  is  essential  for  the  underlying  one-time 
signature  scheme  II  to  be  capable  of  signing  messages  longer  than  the  public 
key.  The  Lamport  scheme  presented  in  Section  12.5  does  not  have  this  prop- 
erty. However,  if  we  apply  the  “hash-and-sign”  paradigm  from  Section  12.4 
to  the  Lamport  scheme,  we  do  obtain  a one-time  signature  scheme  that  can 
sign  messages  of  arbitrary  length.  (Although  Theorem  12.5  was  stated  only 
with  regard  to  signature  schemes  satisfying  Definition  12.2,  it  is  not  hard  to 
see  that  an  identical  proof  works  for  one-time  signature  schemes.)  Because 
this  result  is  crucial  for  the  next  section,  we  state  it  formally. 


LEMMA  12.11  If  collision-resistant  hash  functions  exist,  then  there  exists 
a one-time  signature  scheme  {for  messages  of  arbitrary  length) . 

PROOF  As  mentioned,  we  sirnply  use  the  hash-and-sign  paradigm  of  The- 
orem 12.5  in  conjunction  with  the  Lamport  signature  scheme.  Note  that  the 
existence  of  collision-resistant  hash  functions  implies  the  existence  of  one-way 
functions  (see  Exercise  12.10),  and  so  this  assumption  suffices.  I 


The  chain-based  signature  scheme  is  a stateful  signature  scheme  which  is 
existentially  unforgeable  under  an  adaptive  chosen-message  attack.  It  has 
a number  of  disadvanta,ges,  though.  For  one,  there  is  no  immediate  way 
to  eliminate  the  state  (recall  that  our  ultimate  goal  is  a stateless  scheme 
satisfying  Definition  12.2)..  Jt  is  also  not  very  efficient,  in  that  the  signature 
length,  size  of  the  state,  and  verification  time  are  all  linear  in  the  number  of 
messages  that  have  been  signed.  Finally,  each  signature  reveals  all  previous 
messages  that  have  been  signed.  While  this  does  not  technically  violate  any 
security  requirement  for  signatures,  this  may  be  undesirable  in  some  contexts. 

12.6.2  “Tree-Based”  Signatures 

The  signer  in  the  chain-based  scheme  of  the  previous  section  can  be  viewed 
as  maintaining  a tree,  rooted  at  the  public  key  pk\ , whose  degree  is  1 and  whose 
depth  is  equal  to  the  number  of  messages  signed  thus  far  (cf.  Figure  12.2).  A 
natural  way  to  improve  the  efficiency  of  this  approach  is  to  use  a binary  tree 
in  which  each  node  has  degree  2.  As  before,  a signature  will  correspond  to  a 
“certified”  path  in  the  tree  from  a leaf  to  the  root;  notice  that  as  long  as  the 
tree  has  polynomial  depth  (even  if  it  has  exponential  size!),  verification  can 
still  be  done  in  polynomial  time. 

Concretely,  to  sign  messages  of  length  n we  will  work  with  a binary  tree 
of  depth  n having  2”  leaves.  As  before,  the  signer  will  add  nodes  to  the  tree 
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pk. 


m=  101 


FIGURE  12.3:  Tree-based  signatures:  signing  the  message  m = 101. 


“on-th£-fly,”  as  needed.  In  contrast  to  the  chain-based  scheme,  though,  only 
leaves  (and  not  internal  nodes)  will  be  used  to  certify  messages.  Each  leaf  of 
the  tree  will  correspond  to  one  of  the  possible  messages  of  length  n. 

In  more  detail,  we  imagine  a binary  tree  of  depth  n where  the  root  is  labeled 
by  e (i.e.,  the  empty  string),  and  a node  that  is  labeled  with  the  binary  string 
w of  length  less  than  n has  left-child  labeled  reO  and  right-child  labeled  vol. 
This  tree  is  never  constructed  in  its  entirety  (note  that  it  is  exponentially- 
large) , but  is  instead  built  up  by  the  signer  as  needed. 

For  every  node  we  associate  a pair  of  keys  pk^],  skw  for  some  one-time 
signature  scheme  II.  The  public  key  of  the  root,  pke,  is  the  actual  public 
key  of  the  signer.  To  sign  a message  m G {0, 1}’^,  the  signer  carries  out  the 
following  steps: 

1.  It  first  generates  keys  (as  needed)  for  all  nodes  on  the  path  from  the 
root  to  the  leaf  labeled  m.  (Some  of  these  public  keys  may  have  been 
generated  in  the  process  of  signing  previous  messages,  and  in  this  case 
are  not  generated  again.) 

2.  Next,  it  “certifies”  the  path  from  the  root  to  the  leaf  labeled  m by 
computing  a signature  on  pkwdWpkwi,  using  private  key  sk^],  for  each 
string  w that  is  a proper  prefix  of  m. 

3.  Finally,  it  “certifies”  m itself  by  computing  a signature  on  m with  the 
private  key  skm  - 
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The  final  signature  on  m consists  of  the  signature  on  m with  respect  to  pkm^ 
as  well  as  all  the  information  needed  to  verify  the  path  from  the  leaf  labeled 
m to  the  root;  see  Figure  12.3.  Additionally,  the  signer  updates  its  state  by 
storing  all  the  key  pairs  generated  as  part  of  the  above  signing  process.  A 
formal  description  of  this  scheme  is  given  as  Construction  12.12. 


CONSTRUCTION  12.12 

Let  n = (Gen,  Sign,  Vrfy)  be  a signature  scheme.  For  a binary  string  m,  let 

m\i  '^=  mi  • • - mi  denote  the  i-bit  prefix  of  m (with  m|o  e,  the  empty 
string).  Construct  the  scheme  II*  = (Gen*,  Sign*,  Vrfy*)  as  follows: 

• Gen*:  on  input  1^,  compute  (pke,ske)  Gen(l’^)  and  output  the 
public  key  pk^.  The  private  key  and  initial  state  are  sk^. 

• Sign*:  on  input  a message  m G {0, 1}"^,  carry  out  the  following. 


1.  For  2 = 0 to  n — 1: 


If  pkm\iOjPkm\ii,  and  cr,^|^  are  not  in  the  state,  compute 
ipkm\iOj  skm\^o)-  * Gen(l’^),  {pkm\iij  skm\^i)  ^ — Gen(l”"), 

and  am\i  ^ Sign^fc^l , (pA:^|.o  || pA:,nUi)-  In  addition,  add 
all  of  these  values  to  the  state. 


2.  If  cTm  is  not  yet  included  in  the  state,  compute  am  Sign^^^  (m) 
and  store  it  as  part  of  the  state. 

3.  Output  the  signature  {^{amU,pkm\in,pkm.\i\]^_^Q  , arr?j . 

Vrfy*:  on  input  a public  key  pke,  message  m,  arid  signature 

{{(^m\i,pkm\i0,pkm\ii]1ll  , cTm) , output  1 if  and  only  if:. 

1-  i-P^rnUO  \\ P^mUl , CFm\i)  = 1 for  all  2 G {0,  . . . , 7T  - 1}. 

2-  Vrfyp.  (m,cr„i)  = l. 


A “tree-based”  signature  scheme. 


Notice  that  each  of  the  underlying  keys  in  this  scheme  is  used  to  sign  only 
a single  “message” . Each  key  associated  with  an  internal  node,  signs  a pair 
of  public  keys,  and  keys  at  leaves  are  used  to  sign  a single  message  (once). 
Note  that  the  keys  are  used  to  sign  a pair  of  other  keys,  and  thus  we  need  the 
one-time  signature  scheme  II  to  be  capable  of  signing  messages  longer  than 
the  public  key.  Lemma  12.11  shows  that  such  schemes  can  be  constructed 
based  on  collision-resistant  hash  functions. 

Before  proving  security  of  this  tree-based  approach,  note  that  it  improves 
on  the  chain-based  scheme  in  a number  of  respects.  It  still  allows  for  signing 
an  unbounded  number  of  messages.  (Although  there  are  only  2”^  leaves,  the 
message  space  contains  only  2'^  messages.  In  any  case,  2*^  is  eventually  larger 
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than  any  polynomial  function  of  n.)  In  terms  of  efficiency,  the  signature  length 
and  verification  time  are  now  proportional  to  the  message  length  n but  are 
independent  of  the  number  of  messages  signed.  The  scheme  is  still  stateful, 
but  we  will  see  how  this  can  be  avoided  after  we  prove  the  following  result. 

THEOREM  12.13  Let  li  he  a one-time  signature  scheme.  Then  Con- 
struction 12.12  is  existentially  unforgeable  under  an  adaptive  chosen-message 
attack. 

PROOF  Let  IT  denote  Construction  12.12.  Let  A*  be  a probabilistic 
polynomial  time  adversary,  let  i*  = £*{n)  be  a (polynomial)  upper  bound  on 

the  number  of  signing  queries  made  by  A* , and  set  i{n)  2ni*{n)  + 1;  for 
shorthand  we  will  write  i instead  of  £{n).  Note  that  £{n)  upper  bounds  the 
number  of  public  keys  from  II  that  are  needed  to  generate  £*{n)  signatures 
using  II* . This  is  because  each  signature  in  tt*  requires  at  most  2n  new  keys 
from  n (in  the  worst  case),  and  one  additional  key  from  II  is  used  as  the 
actual  public  key  pk^ . Define 

6{n)  =^Pr[Sig-forge^._n*H  = !]• 

Consider  the  following  ppt  adversary  A attacking  the  one-time  signature 
scheme  II: 

Adversary  A: 

A is  given  as  input  a public  key  pk  (the  security  parameter  n is  implicit). 

• Choose  a random  index  T^{1,...,^}.  Construct  a list  pk^,. . . ,pk^  of 
keys  as  follows: 

— Set  pk^  :=  pk. 

— For  i A compute  (pA:*,sA:*)  •«—  Gen(T^). 

• Run  AT  on  input  public  key  pk^  = pk^.  When  A*  requests  a signature 
on  a message  m do: 

1.  For  i = 0 to  n — 1: 

— If  the  values  pA:m|iO)P^m|ii5  ^ind  cr^|.  have  not  yet  been  de- 
fined, then  set  and  equal  to  the  next  two  unused 

public  keys  pk^  and  pk^~^^ , and  compute  a signature  (Xmii  on 
pkm\iO  II  pkm\i\  with  respect  to  pkm\i-^ 


^If  i A T then  A.  can  compute  a signature  with  respect  to  pk^  by  itself.  A can  also  obtain 
a (single)  signature  with  respect  to  pk^  by  making  the  appropriate  query  to  its  signing 
oracle.  This  is  what  is  meant  here.  » 
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2.  If  Gm  is  not  yet  defined,  compute  a signature  Gm  on  m with  respect 
to  pkm  (see  footnote  3). 

3.  Give 

• Say  A*  outputs  a message  m (for  which  it  had  not  previously  requested 
a signature)  and  a signature  (^  { ^ ) • If  this 

is  a valid  signature  on  m,  then: 

Case  1:  Say  there  exists  a.  j 6 {0,  . . . , n — 1}  for  which  pk'^^  ,q  7^  pkm\j0 
P^'m\  1 ^ this  includes  the  case  when  pkjy^\.Q  or  pkm\ji  were 

never  defined  by  A.  Take  the  minimal  such  j,  and  let  i be  such  that 
pk^  = pkm\j  = P^'m\j  (such  an  i exists  by  the  minimality  of  j).  li  i — i* , 

output  (pk'm\jo\\P^'mljV 

Case  2:  If  case  1 does  not  hold,  then  pk'^  — pkm-  Let  i be  such  that 
pk  — pkm-  If  i = 2*,  output  (m,  cr^). 

This  completes  the  description  of  A. 

In  experiment  Sig-forge34j7^^(n),  the  view  of  A*  being  run  as  a subroutine  by 
A is  distributed  identically  to  the  view  of  A*  in  experiment  Sig-forge^*  n*  (n,).'^ 
Thus,  the  probability  that  A*  outputs  a forgery  is  exactly  6{n)  when  it  is  run 
as  a subroutine  by  A in  this  experiment.  Given  that  A*  outputs  a forgery, 
consider  each  of  the  two  possible  cases  described  above: 

Case  1:  Since  i*  was  chosen  uniformly  at  random  and  is  independent  of 
the  view  of  A*,  the  probability  that  i — i*  is  exactly  1/i.  li  i = i*,  then  A 
requested  a signature  on  the  message  pkm\jo\\pkm\ji  with  respect  to  the  public 
key  pk  = pk  = pkm\j  that  it  was  given  (and  requested  no  other  signatures). 
Moreover, 

7^  Pkm\joWP^m\jl 

and  yet  g'^^^  is  a valid  signature  on  with  respect  to  pk.  Thus, 

A outputs  a forgery  in  this  case. 

Case  2:  Again,  since  i*  was  chosen  uniformly  at  random  and  is  independent 
of  the  view  of  A*,  the  probability  that  i = i*  is  exactly  1/i.  li  i = i*,  then  A 
did  not  request  any  signatures  with  respect  to  the  public  key  pk  = pk  = pkm 
and  yet  g!^  is  a valid  signature  on  m with  respect  to  pk. 


^As  we  have  mentioned,  A.  never  “runs  out”  of  public  keys.  A signing  query  of  A*  uses 
2n  public  keys;  thus,  even  if  new  public  keys  were  required  to  answer  every  signing  query 
of  A*  (which  will  in  general  not  be  the  case),  only  2n£*(n)  public  keys  would  be  needed 
by  A in  addition! to  the  “root”  public  key  pk^. 
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We  see  that,  conditioned  on  A*  outputting  a forgery  (and  regardless  of 
which  of  the  above  cases  occurs),  A outputs  a forgery  with  probability  ex- 
actly l/£.  This  means  that 


Pr[Sig-forge^4*^^(n)  = 1]  = 6{n)/I{n). 

Because  II  is  a one-time  signature  scheme,  we  know  that  there  exists  a negli- 
gible function  negl  for  which 


Pr[Sig-forge3^"*](r^(n)  = 1]  < negl(n). 


Since  £ is  polynomial,  we  conclude  that  6{n)  must  be  negligible. 


A Stateless  Solution 

The  signer’s  state  in  II*  depends  on  the  messages  signed.  However,  it  is 
possible  to  imagine  having  the  signer  generate  all  necessary  information  for  all 
the  nodes  in  the  entire  tree  in  advance,  at  the  time  of  key  generation.  (That  is, 
at  the  time  of  key  generation  the  signer  could  generate  the  keys  {{pk^,  sk^)} 
and  the  signatures  {cr-w}  for  all  binary  strings  tv  of  length  at  most  n.)  If  key 
generation  were  done  in  this  way,  then  the  signer  would  not  have  to  update 
its  state  at  all;  these  values  could  all  be  stored  as  part  of  a (large)  private  key, 
and  we  would  obtain  a stateless  scheme.  The  problem  with  this  approach,  of 
course,  is  that  generating  all  these  values  would  require  exponential  time. 

An  alternative  is  to  store  some  randomness  that  can  be  used  to  generate 
the  values  {(pfciu,  sfciu)}  and  as  needed,  rather  than  storing  the  values 

themselves.  That  is,  the  signer  could  store  a random  string  for  each  w,  and 
whenever  the  values  pk^] , sk^]  are  needed  the  signer  can  compute  {pk^ , sk^])  := 
Gen(l’^;  r^),  where  this  denotes  the  generation  of  a length-n  key  using  random 
coins  r^tj.  Similarly,  if  the  signing  procedure  is  probabilistic,  the  signer  can 
store  r'^  and  then  set  S\gr\gf,^(pkwo\\pknji',rw)  (assuming  here  that 

|n;|  < n).  Generating  and  storing  sufhciently-many  random  strings,  however, 
still  requires  exponential  time  arid  space. 

A simple  modification  of  this  alternative  gives  a polynomial-time  solution. 
Instead  of  storing  random  ruu  and  as  suggested  above,  the  signer  can  store 
two  keys  k,  k'  for  a pseudorandom  function  F.  When  needed,,  the  values 
pkuu,  skw  can  now  be  generated  by  the  following  two-step  process: 

1.  Compute  :=  Fk(w).^ 

2.  Compute  (pfcio, sfciu)  :=  Gen(l’^;riu)  (as  before). 


5 We  assume  that  the  output  length  of  F is  sufficiently  long,  and  that  w is  padded  to  some 
fixed-length  string  in  a one-to-one  fashion.  We  ignore  these  technicalities  here. 
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In  addition,  the  key  k'  is  used  to  generate  the  value  r'^  that  is  used  to  com- 
pute the  signature  . This  gives  a stateless  signature  scheme  in  which  key 
generation  (as  well  as  signing  and  verifying)  can  be  carried  out  in  polynomial 
time.  Intuitively,  this  works  because  storing  a random  function  is  equivalent 
to  storing  all  the  and  r'^  values  that  are  needed,  and  storing  a pseudoran- 
dom function  is  “just  as  good” . We  leave  it  as  an  exercise  to  prove  that  this 
modified  scheme  remains  existentially  unforgeable  under  an  adaptive  chosen- 
message  attack. 

Since  the  existence  of  collision-resistant  hash  functions  implies  the  existence 
of  one-way  functions  (cf.  Exercise  12.10),  and  the  latter  implies  the  existence 
of  pseudorandom  functions  (see  Chapter  6),  we  have: 


THEOREM  12.14  If  collision-resistant  hash  functions  exist,  then  there 
exists  a (stateless)  signature  scheme  that  is  existentially  unforgeable  under  an 
adaptive  chosen-message  attack. 

We  remark  that  it  is  possible  to  construct  signature  schemes  satisfying 
Definition  12.2  from  the  (minimal)  assumption  that  one-way  functions  exist; 
a proof  of  this  result  is  beyond  the  scope  of  this  book. 


12.7  The  Digital  Signature  Standard  (DSS) 

Hashed  RSA  signatures  as  described  in  Section  12.3.2,  and  variants  thereof, 
give  one  example  of  signature  schemes  that  are  widely  used  in  practice.  An- 
other irnportant  example  is  the  Digital  Signature  Standard  (DSS),  sometimes 
also  known  as  the  Digital  Signature  Algorithm  (DSA).  This  scheme  was  pro- 
posed by  the  US  National  Institute  of  Standards  and  Technology  (NIST)  in 
1991,  and  has  since  become  a US  government  standard.  The  security  of  DSS 
relies  on  the  hardness  of  the  discrete  logarithm  problem,  and  has  been  used  for 
many  years  without  any  serious  attacks  being  found.  As  in  the  case  of  hashed 
RSA  signatures,  however,  there  is  no  known  proof  of  security  for  DSS  based 
on  the  discrete  logarithm  (or  any  other)  assumption.  We  noted  previously 
that  hashed  RSA  signatures  can  be  proven  secure  in  a certain  idealized  model 
to  be  described  in  the  following  chapter.  Unfortunately,  DSS  has  no  proof 
of  security  even  in  this  idealized  model.  For  these  reasons,  we  must  content 
ourselves  with  only  giving  a description  of  the  scheme. 

Let  ^ be  a probabilistic  polynomial-time  algorithm  that,  on  input  1”^,  out- 
puts (p,  q,g)  where,  except  with  negligible  probability:  (1)  p and  q are  primes 
with  ||g||  = n;  (2)  q\{p  — 1)  but  g^/(p  — 1);  and  (3)  p is  a generator  of  the 
subgroup  of  Z*  having  order  q.  (E.g.,  the  algorithm  in  Section  7.3.3  could  be 
used.)  DSS  is  given  as  Construction  12.15. 
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CONSTRUCTION  12.15 

Let  ^ be  as  in  the  text.  Define  a signature  scheme  as  follows: 

• Gen:  on  input  1”,  run  the  algorithm  ^(1’^)  to  obtain  (p,q,g).  Let 
H : {0, 1}*  — *■  Zg  be  function.  Choose  x -t—  Zg  uniformly  at 
random  and  set  y [g^  modp].  The  public  key  is, {H,p,q,g,y) 
and  the  private  key  is  (H,p,q,g,x). 

• Sign:  on  input  a private  key  (H,p,q,g,x)  and  a message  rn  G 
{0, 1}*,  choose  k Zq  uniformly  at  random  and  set  r :=  [ mod 
p]  mod  O'].  Compute  s [{H{m)  + xr)  • mod  q],  and  output 
the  signature  (r,s). 

• Vrfy:  on  input  a public  key  (H,p,q,g,y),  a message  m G {0,  1}*, 

and  a signature  (r,  s)  with  r E Zg  and  s E Zg,  compute  the  values 
u\  [H{rn)  • mod  q\  and  uq.  :=  [r  ■ s~^  mod  q].  Output  1 if 
and  only  if  ^ 

r = mod  p]  mod  y]. 


The  Digital  Signature  Standard  (DSS). 

Let  us  see  that  the  scheme  is  correct.  Letting  m = H(m),  the  signature 
(r,  s)  output  by  the  signer  satisfies 

r — [[g^  mod  p]  mod  q]  and  s = [(m  + xr)  ■ mod  q]. 

Assume  s 7^  0 (this  occurs  with  only  negligible  probability).  Using  the  fact 
that  y — and  recalling  that  we  can  work  “in  the  exponent”  modulo  y,  we 
have 

— g^  mod  p . 

Thus,  [[g^^  ^ ^ mod  p\  mod  q\  — modp  ] mod  q\  — r,  and  verification 
succeeds. 


12.8  Certificates  and  Public-Key  Infrastructures 

We  conclude  this  chapter  with  a brief  discussion  of  one  of  the  primary  ap- 
plications of  digital  signatures:  the  secure  distribution  of  public  keys.  This 
brings  us  full-circle  in  our  discussion  of  public-key  cryptography.  In  this  and 
the  previous  three  chapters  we  have  seen  how  to  use  public-key  cryptography 
once  public  keys  are  securely  distributed.  Now  we  show  how  public-key  cryp- 
tography itself  can  be  used  to  securely  distribute  public  keys.  This  may  sound 
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circular,  but  is  not.  Essentially  what  we  will  show  is  that  once  a single  public 
key  (belonging  to  some  trusted  party)  is  distributed  in  a secure  fashion,  this 
key  can  be  used  to  “bootstrap”  the  secure  distribution  of  arbitrarily-many 
other  public  keys.  Thus,  the  problem  of  secure  key  distribution  need  only  be 
solved  once  (theoretically  speaking,  at  least). 

The  key  idea  is  the  notion  of  a digital  certificate,  which  is  simply  a signature 
binding  some  entity  to  some  public  key.  To  be  concrete,  say  a party  Charlie 
has  generated  a key-pair  {pkc,skc)  for  a secure  digital  signature  scheme  (in 
this  section,  we  will  only  be  concerned  with  signature  schemes  satisfying  Def- 
inition 12.2).  Assume  further  that  another  party  Bob  has  also  generated  a 
key-pair  {pks,  sks)  (in  the  present  discussion,  these  may  be  keys  for  either  a 
signature  scheme  or  a public- key  encryption  scheme),  and  that  Charlie  knows 
that  pks  is  Bob’s  public  key.  Then  Charlie  can  compute  the  signature 

def 

certc^B  = Sigri5fc^(‘ Bob’s  key  is  p/cs’) 

and  give  this  signature  to  Bob.  This  signature  certc->s  is  called  a certificate 
for  Bob’s  key  issued  by  Charlie.  In  practice  a certificate  should  unambiguously 
identify  the  party  holding  a particular  public  key  and  so  a more  uniquely 
descriptive  term  than  “Bob”  would  be  used,  for  example,  Bob’s  full  name  and 
email  address. 

Now  say  Bob  wants  to  communicate  with  some  other  party  Alice  who  al- 
ready knows  pA;c-  What  Bob  can  do  is  to  send  (p/c^,  certc-^s)  to  Alice,  who 
can  then  verify  that  certc->s  is  indeed  a valid  signature  on  the  message  ‘ Bob  ’ s 
key  is  pks  ’ with  respect  to  pkc-  Assuming  verification  succeeds,  Alice  now 
knows  that  Charlie  has  signed  the  indica,ted  message.  If  Alice  trusts  Charlie, 
then  she  might  now  accept  p/cs  as  Bob’s  legitimate  public  key. 

Note  that  all  communication  between  Bob  and  Alice  can  occur  over  an 
insecure  and  unauthenticated  channel.  If  an  active  adversary  interferes  with 
the  communication  of  (p/cs,  certc-^s)  from  Bob  to  Alice,  that  adversary  will 
be  unable  to  generate  a valid  certificate  linking  Bob  to  any  other  public  key 
pk'^  unless  Charlie  had  previously  signed  some  other  certificate  linking  Bob 
with  pk'^  (in  which  case  this  is  anyway  not  much  of  an  attack).  This  all 
assumes  that  Charlie  is  not  dishonest  and  that  his  private  signing  key  has  not 
been  compromised. 

We  have  omitted  many  details  in  the  above  description.  Most  prominently, 
we  have  not  discussed  how  Alice  learns  pkc  in  the  first  place;  how  Charlie 
can  be  sure  that  pks  is  Bob’s  public  key;  and  how  Alice  decides  whether  to 
trust  Charlie  in  the  first  place.  Fully  specifying  such  details  (and  others)  gives 
a public-key  infrastructure  (PKI)  that  enables  the  widespread  distribution  of 
public  keys.  A variety  of  different  PKI  models  have  been  suggested,  and  we 
mention  a few  of  the  more  popular  ones  now.  Our  treatment  here  will  be 
kept  at  a relatively  high  level,  and  the  reader  interested  in  further  details  is 
advised  to  consult  the  references  at  the  end  of  this  chapter. 


448 


A single  certificate  authority.  The  simplest  PKI  assumes  a single  certifi- 
cate authority  (CA)  who  is  completely  trusted  by  everybody  and  who  issues 
certificates  for  everyone’s  public  key.  A certificate  authority  would  not  typi- 
cally be  a person,  but  would  more  likely  be  a company  whose  business  it  is  to 
certify  public  keys,  a governmental  agency,  or  perhaps  a department  within 
an  organization  (although  in  this  latter  case  the  CA  would  likely  only  be  used 
by  people  within  the  organization).  Anyone  who  wants  to  rely  on  the  services 
of  the  CA  would  have  to  obtain  a legitimate  copy  of  the  CA’s  public  key  pkcA- 
Clearly,  this  step  must  be  carried  out  in  a secure  fashion  since  if  some  party 
obtains  an  incorrect  version  of  pkcA  then  that  party  may  not  be  able  to  obtain 
an  authentic  copy  of  anyone  else’s  public  key.  This  means  that  pkcA  must  be 
distributed  over  an  authenticated  channel.  The  easiest  way  of  doing  this  is 
via  physical  means:  for  example,  if  the  CA  is  within  an  organization  then  any 
employee  can  obtain  an  authentic  copy  of  pkcA  directly  from  the  CA  on  their 
first  day  of  work.  If  the  CA  is  a company,  then  other  users  would  have  to  go 
to  this  company  at  some  point  and,  say,  pick  up  a copy  of  a CD-ROM  that 
contains  the  CA’s  public  key.  The  point,  once  again,  is  that  this  relatively 
inconvenient  step  is  only  carried  out  once. 

A common  way  for  a CA  to  distribute  its  public  key  in  practice  is  to  “bun- 
dle” this  public  key  with  some  other  software.  In  fact  this  occurs  today  with 
most  popular  web  browsers:  a CA’s  public  key  is  provided  together  with  the 
web  browser  in  sdmething  called  a “certificate  store”,  and  the  web  browser 
can  be  programmed  to  automatically  verify  certificates  as  they  arrive,  using 
the  public  key  in  the  store.  (Actually,  web  browsers  typically  have  public  keys 
of  multiple  CAs  hard-wired  into  their  code,  and  so  more  accurately  fall  into 
the  “multiple  CA”  ease  discussed  below.)  As  another  example,  a public  key 
could  be  included  as  part  of  the  operating  system  when  a new  computer  is 
purchased. 

The  mechanism  by  which  a party  Bob  obtains  a certificate  from  the  CA 
must  also  be  very  carefully  controlled.  As  one  example.  Bob  may  have  to 
show  up  in  person  before  the  CA  with  a CD-ROM  containing  his  public  key 
pk B as  well  as  some  identification  proving  that  his  name  (or  his  email  address) 
is  what  he  says  it  is.  Only  then  should  the  CA  issue  an  appropriate  certificate 
for  Bob’s  public  key. 

In  the  model  where  there  is  a single  CA,  parties  completely  trust  this  CA  to 
issue  certificates  only  when  appropriate;  this  is  why  it  is  crucial  that  a detailed 
verification  process  be  used  before  a certificate  is  issued.  As  a consequence,  if 
Alice  receives  a certificate  certcA-^B  certifying  that  pks  is  Bob’s  public  key, 
Alice  will  accept  this  assertion  as  valid,  and  use  pks  as  Bob’s  public  key. 

Multiple  certificate  authorities.  While  the  model  in  which  there  is  only 
a single  CA  is  very  simple  and  appealing,  it  is  not  very  practical.  For  one 
thing,  outside  of  a single  organization  it  is  highly  unlikely  for  everyone  to  trust 
the  same  CA.  This  need  not  imply  that  anyone  thinks  the  CA  is  corrupt;  it 
could  simply  be  the  case  that  someone  finds  the  CA’s  verification  process  to  be 
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insufficient  (say,  the  CA  asks  for  only  one  ID  when  generating  a certificate  but 
Alice  would  prefer  that  two  IDs  be  used  instead).  Moreover,  the  CA  is  a single 
point  of  failure  for  the  entire  system.  If  the  CA  is  corrupt,  or  can  be  bribed, 
or  even  if  the  CA  is  merely  lax  with  the  way  it  protects  its  private  signing 
key,  the  legitimacy  of  issued  certificates  may  be  called  into  question.  Reliance 
on  a single  CA  is  also  a problem  even  in  non-adversarial  environments:  if  the 
CA  is  unreachable  then  no  new  certificates  can  be  issued,  and  the  load  on 
the  CA  may  be  very  high  if  many  parties  want  to  obtain  certificates  at  once 
(although  this  is  still  much  better  than  the  KDC  model  because  the  CA  does 
not  need  to  be  online  once  certificates  are  issued). 

One  approach  to  alleviating  these  issues  is  to  rely  on  multiple  CAs.  A 
party  Bob  who  wants  to  obtain  a certificate  on  his  public  key  can  choose 
which  CA(s)  it  wants  to  issue  a certificate,  and  a party  Alice  who  is  presented 
with  a certificate,  or  even  multiple  certificates  issued  by  different  CAs,  can 
choose  which  CA’s  certificates  she  trusts.  There  is  no  harm  in  having  Bob  ob- 
tain a certificate  from  every  CA  (apart  from  some  inconvenience  and  expense 
for  Bob),  but  Alice  must  be  more  careful  since  the  security  of  her  commu- 
nications is  ultimately  only  as  good  as  the  least-secure  CA  that  she  trusts. 
That  is,  say  Alice  trusts  two  CAs,  CAi  and  CA2,  and  CA2  is  corrupted  by  an 
adversary.  Then  although  this  adversary  will  not  be  able  to  forge  certificates 
issued  by  CAi , it  will  be  able  to  generate  certificates  issued  by  CA2  for  any 
identity /public  key  of  its  choice.  This  is  actually  a real  problem  in  current  web 
browsers.  As  mentioned  earlier,  web  browsers  typically  come  pre-configured 
with  a number  of  CA  public  keys  in  their  certificate  store,  and  the  default 
setting  is  for  all  of  these  CAs  to  be  treated  as  equally  trustworthy.  Essentially 
any  company  willing  to  pay,  however,  can  be  included  as  a CA.  So  the  list  of 
pre-configured  CAs  includes  some  reputable,  well-established  companies  along 
with  other,  newer  companies  whose  trustworthiness  cannot  be  easily  estab- 
lished. It  is  left  to  the  user  to  manually  configure  their  browser  settings  so  as 
to  only  accept  signed  certificates  from  CAs  that  the  user  trusts. 

Delegation  and  certificate  chains.  Another  approach  which  alleviates 
some  of  the  burden  on  a single  CA  (but  does  not  address  the  security  concerns 
of  having  a single  point  of  failure)  is  to  use  certificate  chains.  We  present  the 
idea  for  certificate  chains  of  length  2,  though  it  is  easy,  to  see  that  everything 
we  say  generalizes  to  chains  of  arbitrary  length. 

Say  Charlie,  acting  as  a CA,  issues  a certificate  for  Bob  as  in  our  original 
discussion.  Assume  further  that  Bob’s  key  pkn  is  a public  key  for  a signature 
scheme.  Bob,  in  turn,  can  issue  his  own  certificates  for  other  parties.  For 
example.  Bob  may  issue  a certificate  for  Alice  of  the  form 

cert^.^^ Sigrig^^  (‘Alice's  key  is  pkA’)- 

Now,  if  Alice  wants  to  communicate  with  some  fourth  party  Dave  who  knows 
Charlie’s  public  key  (but  not  Bob’s),  then  Alice  can  send 

pkA,  certB~.A,  pkB,  certc-^B, 
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to  Dave.  What  can  Dave  tell  from  this?  Well,  he  can  first  verify  that  Charlie, 
whom  he  trusts  and  whose  public  key  is  already  in  his  possession,  has  signed 
a certificate  certc-*B  indicating  that  pks  indeed  belongs  to  someone  named 
Bob.  Dave  can  also  verify  that  this  person  named  Bob  has  signed  a certificate 
certB^A  indicating  that  pkA  indeed  belongs  to  Alice.  If  Dave  trusts  Charlie 
to  only  issue  certificates  to  trustworthy  people,  then  Dave  may  accept  pkA  as 
being  the  authentic  key  of  Alice. 

In  this  example  stronger  semantics  are  associated  with  a certificate  certc-^B- 
In  all  our  prior  discussion,  a certificate  of  this  form  was  only  an  assertion  that 
Bob  holds  the  public  key  pks-  Now,  a certificate  asserts  that  Bob  holds  the 
public  key  pks  and  Bob  should  be  trusted  to  issue  other  certificates.  It  is 
not  essential  that  all  certificates  issued  by  Charlie  have  these  semantics,  and 
Charlie  could,  for  example,  have  two  different  “types”  of  certificates  that  he 
issues. 

When  Charlie  signs  a certificate  for  Bob  having  the  stronger  semantics 
discussed  above,  Charlie  is  delegating  his  ability  to  issue  certificates  to  Bob. 
In  effect.  Bob  can  now  act  as  a proxy  for  Charlie,  issuing  certificates  on 
behalf  of  Charlie.  Coming  back  to  a CA-based  PKI,  we  can  imagine  one 
“root”  CA  and  n “second-level”  CAs  denoted  CAi , . . . , CAn  - The  root  CA 
issues  certificates  on  behalf  of  each  of  the  second-level  CAs,  who  can  then 
in  turn  issue  certificates  for  other  principles  holding  public  keys.  This  eases 
the  burden  on  the  root  CA,  and  also  makes  it  more  convenient  for  parties  to 
obtain  certificates  (since  they  may  now  contact  the  second-level  CA  who  is 
closest  to  them,  for  example).  On  the  other  hand,  managing  these  second- 
level  CAs  may  be  difficult,  and  their  presence  means  that  there  are  now  more 
points  of  attack  in  the  system. 

The  “web  of  trust”  model.  The  last  example  of  a PKI  we  will  discuss  is 
a fully-distributed  model,  with  no  central  points  of  trust,  called  the  “web  of 
trust” . A variant  of  this  model  is  used  by  the  PGP  email  encryption  program 
for  distribution  of  public  keys. 

In  the  “web  of  trust”  model,  anyone  can  issue  certificates  to  anyone  else 
and  each  user  has  to  make  their  own  decision  about  how  much  trust  to  place 
in  certificates  issued  by  other  users.  As  an  example  of  how  this  might  work, 
say  a user  Alice  is  already  in  possession  of  public  keys  pki,pk2,pks  for  some 
users  Ci,C2,C3.  (We  discuss  below  how  these  public  keys  might  initially 
be  obtained  by  Alice.)  Another  user  Bob  who  wants  to  communicate  with 
Alice  might  have  certificates  certc’^_^s,  certcg^B,  and  certc4^B,  and  will 
send  these  certificates  (along  with  his  public  key  pkn)  to  Alice.  Alice  cannot 
verify  certc74->B  (since  she  doesn’t  have  C4’s  public  key),  but  she  can  verify 
the  other  two  certificates.  Now  she  has  to  decide  how  much  trust  she  places 
in  Cl  and  C3.  She  may  decide  to  accept  pks  if  she  unequivocally  trusts  Ci, 
or  also  if  she  trusts  both  Ci  and  C3  to  a lesser  extent.  (She  may,  for  example, 
consider  it  likely  that  either  Ci  or  C 3 is  corrupt,  but  consider  it  unlikely  for 
them  both  to  be  corrupt.)  i 
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We  see  that  in  this  model,  as  we  have  described  it,  users  are  expected  to 
collect  both  public  keys  of  other  parties,  as  well  as  certificates  on  their  own 
public  key  (issued  by  other  parties).  In  the  context  of  PGP,  this  is  often  done 
at  “key-signing  parties”  where  PGP  users  get  together  (say,  at  a conference), 
give  each  other  authentic  copies  of  their  public  keys,  and  issue  certificates  for 
each  other.  In  general  the  users  at  a key-signing  party  may  not  know  each 
other,  but  they  can  check  a driver’s  license,  say,  before  accepting  someone’s 
public  key. 

Public  keys  and  certificates  can  also  be  stored  in  a central  database,  and  this 
is  done  for  the  case  of  PGP  (see  http://pgp.mit.edu).  When  Alice  wants 
to  send  an  encrypted  message  to  Bob,  she  can  search  for  Bob’s  public  key  in 
this  database;  along  with  Bob’s  public  key,  the  database  will  return  a list  of 
all  certificates  it  holds  that  have  been  issued  for  Bob’s  public  key.  It  is  also 
possible  that  multiple  public  keys  for  Bob  will  be  found  in  the  database,  and 
each  of  these  public  keys  may  be  certified  by  certificates  issued  by  a different 
set  of  parties.  Once  again,  Alice  then  needs  to  decide  how  much  trust  to  place 
in  any  of  these  public  keys  before  using  them. 

The  web  of  trust  model  is  attractive  because  it  works  at  the  “grass-roots” 
level,  without  requiring  trust  in  any  central  authority.  On  the  other  hand, 
while  it  may  work  well  for  the  average  user  encrypting  their  email,  it  does 
not  seem  appropriate  for  settings  where  security  is  more  critical,  or  for  the 
distribution  of  organizational  public  keys.  If  a user  wants  to  communicate 
with  his  bank,  for  example,  it  is  unlikely  that  he  would  trust  people  he  met 
at  a conference  to  certify  his  bank’s  public  key,  and  also  unlikely  that  a bank 
representative  will  go  to  a key-signing  party  to  get  the  bank’s  key  certified. 

InvEilidating  Certificates 

One  important  issue  we  have  not  yet  touched  upon  at  all  is  the  fact  that 
certificates  should  generally  not  be  valid  indefinitely.  An  employee  may  leave 
a company,  in  which  case  he  or  she  is  no  longer  allowed  to  receive  encrypted 
communication  from  others  within  the  company;  a user’s  private  key  might 
also  be  stolen,  at  which  point  the  user  (assuming  they  know  about  the  theft) 
will  want  to  generate  a new  key- pair  and  have  the  old  public  key  removed  from 
circulation.  In  either  of  these  scenarios,  we  need  a way  to  render  previously- 
issues  certificates  invalid. 

Approaches  for  handling  these  issues  are  varied  and  complex,  and  we  will 
only  mention  two  relatively  simple  ideas  that,  in  some  sense,  represent  oppo- 
site extremes.  (Improving  these  methods  is  an  active  area  of  research,  and  the 
reader  is  referred  to  the  references  at  the  end  of  the  chapter  for  an  introduction 
to  the  literature  in  this  area.) 

Expiration.  One  method  for  preventing  certificates  from  being  used  indef- 
initely is  to  include  an  expiry  date  as  part  of  the  certificate.  A certificate 
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issued  by  a CA  Charlie  for  Bob’s  public  key  might  now  have  the  form 

certc— Sign^^^(‘ Bob's  key  is  phs’,  date), 

where  date  is  some  date  in  the  future  at  which  point  the  certificate  becomes 
invalid.  (For  example,  it  may  be  1 year  from  the  day  the  certificate  is  issued.) 
When  another  user  verifies  this  certificate,  they  need  to  know  not  only  but 
also  the  expiry  date,  and  they  now  need  to  check  not  only  that  the  signature 
is  valid,  but  also  that  the  expiry  date  has  not  passed.  A user  who  holds  a 
certificate  must  contact  the  CA  to  get  a new  certificate  issued  whenever  their 
current  one  expires;  at  this  point,  the  CA  verifies  the  identity /credentials  of 
the  user  again  before  issuing  another  certificate. 

Expiry  dates  provides  a very  coarse-grained  solution  to  the  problems  men- 
tioned earlier.  If  an  employee  leaves  a company  the  day  after  getting  a cer- 
tificate, and  the  certificate  expires  1 year  after  its  issuance  date,  then  this 
employee  can  use  his  or  her  public  key  illegitimately  for  an  entire  year  until 
the  expiry  date  passes.  For  this  reason,  this  approach  is  typically  used  in 
conjunction  with  other  methods  such  as  the  one  we  describe  next. 

Revocation.  When  an  employee  leaves  an  organization,  or  a user’s  private 
key  is  stolen,  we  would  like  the  certificates  that  have  been  issued  for  their 
public  keys  to  become  invalid  immediately,  or  at  least  as  soon  as  possible. 
This  can  be  achieved  by  having  the  CA  explicitly  revoke  the  certificate.  Of 
course,  everything  we  say  applies  more  generally  if  the  user  had  certificates 
issued  by  multiple  CAs;  for  simplicity  we  assume  a single  CA. 

There  are  many  different  ways  revocation  can  be  handled.  One  possibility 
(the  only  one  we  will  discuss)  is  for  the  CA  to  include  a serial  number  in  every 
certificate  it  issues;  that  is,  a certificate  will  now  have  the  form 

def 

certc-^B  = Sign^^^(‘ Bob's  key  is  ###), 

where  “###”  represents  the  serial  number  of  this  certificate.  Each  certificate 
should  have  a uniqiie  serial  number,  and  the  CA  will  store  the  information 
(Bob,p/cs, ###)  for  each  certificate  it  generates. 

If  a user  ^ob’s  private  key  corresponding  to  the  public  key  pks  is  stolen. 
Bob  can  alert  the  CA  to  this  fact.  (Note  that  the  CA  must  verify  Bob’s 
identity  here,  to  prevent  another  user  from  falsely  revoking  a certificate  issued 
to  Bob.  For  an  alternative  approach,  see  Exercise  12.13.)  The  CA  will  then 
search  its  database  to  find  the  serial  number  associated  with  the  certificate 
issued  for  Bob  and  pks-  At  the  end  of  each  day,  say,  the  CA  will  generate  a 
certificate  revocation  list  (or  CRL)  containing  the  serial  numbers  of  all  revoked 
certificates,  and  sign  this  entire  list  along  with  the  current  date.  The  signed  list 
is  then  widely  distributed,  perhaps  by  posting  it  on  the  CA’s  public  webpage. 

To  verify  a certificate  issued  as  above,  another  user  now  needs  pks  and 
also  the  serial  number  of  the  certificate  (this  can  be  forwarded  by  Bob  along 
with  everything  else).  Verification  now  requires  checking  that  the  signature 
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is  valid,  checking  that  the  serial  number  does  not  appear  on  the  most  recent 
revocation  list,  and  verifying  the  CA’s  signature  on  the  revocation  list  itself. 

In  this  approach  the  way  we  have  described  it,  there  is  a gap  of  at  most  1 
day  before  a certificate  becomes  invalid.  This  offers  more  flexibility  than  an 
approach  based  only  on  expiry  dates. 


References  and  Additional  Reading 

Notable  early  work  on  digital  signatures  includes  that  of  Diffie  and  Heilman 
[47],  Rabin  [118,  119],  Rivest,  Shamir,  and  Adleman  [122],  and  Goldwasser, 
Micali,  and  Yao  [71].  Lamport’s  one-time  signature  scheme  was  published  in 
1979  [92],  though  it  was  already  described  in  [47]. 

Goldwasser,  Micali,  and  Rivest  [70]  defined  the  notion  of  existential  un- 
forgeability  under  an  adaptive  chosen-message  attack,  and  also  gave  the  first 
construction  of  a stateful  signature  scheme  satisfying  this  definition.  (Inter- 
estingly, as  explained  in  that  paper,  prior  to  their  work  some  had  thought 
that  Definition  12.2  was  impossible  to  achieve.)  Goldreich  [63]  suggested  an 
approach  to  make  the  Goldwasser-Micali- Rivest  scheme  stateless,  and  we  have 
essentially  adopted  Goldreich’s  ideas  in  Section  12.6.2. 

We  have  not  shown  any  efficient  constructions  of  signature  schemes  in  this 
chapter  since  the  known  constructions  are  somewhat  difficult  to  analyze  and 
require  cryptographic  assumptions  beyond  those  introduced  in  this  book.  The 
interested  reader  can  consult,  e.g.,  [61,  38,  55]. 

A tree-based  construction  similar  in  spirit  to  Construction  12.12  was  sug- 
gested by  Merkle  [100,  101],  though  a tree-based  approach  was  also  used 
in  [70].  Naor  and  Yung  [106]  showed  that  one-way  permutations  suffice  for 
constructing  one-time  signatures  that  can  sign  messages  of  arbitrary  length, 
and  this  was  improved  by  Rompel  [124,  84]  who  showed  that  one-way  func- 
tions are  sufficient.  As  we  have  seen  in  Section  12.6.2,  one-time  signatures 
of  this  sort  can  be  used  to  construct  signature  schemes  that  are  existentially 
unforgeable  under  an  adaptive  chosen-message  attack. 

Goldreich  [65,  Chapter  6]  and  Katz  [83]  provide  a more  extensive  treatment 
of  signature  schemes  than  what  is  covered  here. 

The  notion  of  certificates  was  first  described  by  Kohnf elder  [89]  in  his  un- 
dergraduate thesis.  Public-key  infrastructures  are  discussed  in  greater  detail 
in  [87,  Chapter  15]  and  [1].  Ellison  and  Schneier  [51]  discuss  some  reasons 
why  PKI  is  not  a panacea  for  identity  management. 

As  in  the  private-key  setting  (cf.  Section  4.9),  one  can  also  consider  mech- 
anisms for  jointly  achieving  privacy  and  integrity  in  the  public-key  setting. 
This  is  sometimes  referred  to  as  signcryption]  the  work  of  An,  Dodis,  and 
Rabin  [6]  provides  a good  introductioii  to  this  area. 


Exercises 


12.1  Prove  that  the  existence  of  a one-time  signature  scheme  for  1-bit  mes- 
sages implies  the  existence  of  one-way  functions. 

12.2  For  each  of  the  following  variants  of  the  definition  of  security  for  signa- 
tures, state  whether  textbook  RSA  is  secure  and  prove  your  answer: 

(a)  In  this  first  variant,  the  experiment  is  as  follows:  the  adversary  is 
given  the  public  key  pk  and  a random  message  m.  The  adversary  is 
then  allowed  to  query  the  signing  oracle  once  on  a single  message 
that  does  not  equal  m.  Following  this,  the  adversary  outputs  a 
signature  a and  succeeds  if  Vrfyp^(m,  a)  = 1.  As  usual,  security  is 
said  to  hold  if  the  adversary  can  succeed  in  this  experiment  with 
at  most  negligible  probability. 

(b)  The  second  variant  is  as  above,  except  that  the  adversary  is  not 
allowed  to  query  the  signing  oracle  at  all. 

12.3  The  textbook  Rabin  signature  scheme  is  the  same  as  the  textbook  RSA 
scheme,  except  using  the  Rabin  trapdoor  permutation  (see  Section  11.2). 
Show  that  textbook  Rabin  signatures  have  the  property  that  an  ad- 
versary can  actually  obtain  the  private  key  using  an  adaptive  chosen- 
message  attack. 

12.4  Another  approach  (besides  hashed  RSA)  to  trying  to  construct  secure 
RSA  signatures  is  to  use  encoded  RSA.  Here,  public  and  private  keys 
are  as  in  textbook  RSA;  a public  encoding  function  enc  is  fixed;  and  the 
signature  on  a message  m is  computed  as  <7  :=  [enc(m)‘^  mod  A^]. 

(a)  How  is  verification  performed  in  encoded  RSA? 

(b)  Discuss  why  appropriate  choice  of  an  encoding  function  prevents 
the  “no-message  attack”  described  in  Section  12.3.1. 

(c)  Show  that  encoded  RSA  is  insecure  for  enc(m)  = 0|[m||0^/^°  (where 
i = IIA’II,  |m|  = 9^/10  — 1,  and  m is  not  the  all-0  message). 

(d)  Show  that  encoded  RSA  is  insecure  for  enc(m)  = 0||m||0||m  (where 
\m\  = (llA^ll  — l)/2  and  m is  not  the  all-0  message) 

12.5  Show  that  Construction  4.5  for  constructing  a variable-length  MAC  from 
any  fixed-length  MAC  can  also  be  used  (with  appropriate  modifications) 
to  construct  a signature  scheme  for  arbitrary-length  messages  from  any 
signature  scheme  for  messages  of  fixed  length  i{n).  What  is  the  minimal 
length  that  i{n)  can  be?  What  are  the  advantages  and  disadvantages 
of  this  construction  in  comparison  to  “hash-and-sign”  ? 
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12.6  Let  / be  a one-way  permutation  (as  in  Definition  6.2).  Consider  the 
following  signature  scheme  for  messages  in  the  set  {1, . . . , n}: 

• To  generate  keys,  choose  random  x {0,  and  set  y :=  f^{x). 
The  public  key  is  y and  the  private  key  is  x. 

• To  sign  message  i G {l,...,n},  output  f^~^{x)  (where  f^{x)  x). 

• To  verify  signature  a on  message  i with  respect  to  public  key  y, 

? 

check  whether  y = 

(a)  Show  that  the  above  is  not  a one-time  signature  scheme.  Given 
a signature  on  a message  i,  for  what  messages  j can  an  adversary 
output  a forgery? 

(b)  Prove  that  no  PPT  adversary  given  a signature  on  i can  output  a 
forgery  on  any  message  j > i except  with  negligible  probability. 

(c)  Suggest  how  to  modify  the  scheme  so  as  to  obtain  a one-time  sig- 
nature scheme. 

Hint:  Include  two  values  y,y'  in  the  public  key. 

12.7  Consider  the  Lamport  one-time  signature  scheme.  Describe  an  adver- 
sary who  obtains  signatures  on  two  messages  of  its  choice  and  can  then 
forge  signatures  on  any  message  it  likes. 

12.8  The  Lamport  scheme  uses  2i  values  in  the  public  key  to  sign  messages 

of  length  L Consider  the  following  variant:  the  private  key  consists  of 
2(.  values  a;i , . . . , X2e.  and  the  public  key  contains  the  values  , . . . , y^z 
where  yi  = f{xi).  A message  m G {0,1}^  is  mapped  in  a one-to-one 
fashion  to  a subset  Sm  C { 1 , . . . , 2£j  of  size  £.  To  sign  m,  the  signer 
reveals  Prove  that  this  gives  a one-time  signature  scheme. 

What  is  the  maximum  message-length  £'  that  this  scheme  supports? 

12.9  A. strong  one-time  signature  scheme  satisfies  the  following  (informally): 
given  a signature  cr  on  a message  m,  it  is  infeasible  to  output  (m',  ex')  ^ 
(m,  cr)  for  which  o'  is  a valid  signature  on  vn!  (note  that  m = m'  is 
allowed). 

(a)  Give  a formal  definition  of  strong  one-time  signatures. 

(b)  Assuming  the  existence  of  one-way  functions,  show  a one-way  func- 
tion for  which  Lamport’s  scheme  is  not  a strong  one-time  signature 
scheme. 

(c)  Construct  a strong  one-time  signature  scheme  based  on  any  as- 
sumption used  in  this  book. 

Hint:  Use  a particular  one-way  function  in  Lamport’s  scheme. 
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12.10  Let  (Gen,  H)  be  a collision-resistant  hash  function,  where  H maps  strings 
of  length  2n  to  strings  of  length  n.  Prove  that  the  function  family 
(Gen,  Samp,  H)  is  one-way  (cf.  Definition  7.70),  where  Samp  is  the  trivial 
algorithm  that  samples  a random  string  of  length  2n. 

Hint:  Choosing  random  x •«—  {0, 1}^"  and  finding  an  inverse  of  r/  = 

H^{x)  does  not  guarantee  a collision.  But  it  does  yield  a collision  most 
of  the  time.  . . 

12.11  At  the  end  of  Section  12.6.2,  we  show  how  a pseudorandom  function  can 
be  used  to  make  Construction  12.12  stateless.  Does  a similar  approach 
work  for  the  path-based  scheme  described  in  Section  12.6.1?  If  so,  sketch 
a construction  and  proof.  If  not,  explain  why  and  modify  the  scheme  to 
obtain  a stateless  variant. 

12.12  Prove  Theorem  12.14. 

12.13  Assume  revocation  of  certificates  is  handled  in  the  following  way:  when 
a user  Bob  claims  that  the  private  key  corresponding  to  his  public  key 
pks  has  been  stolen,  the  user  sends  to  the  CA  a statement  of  this  fact 
signed  with  respect  to  pks-  Upon  receiving  such  a signed  message,  the 
CA  revokes  the  appropriate  certificate. 

Explain  why  it  is  not  necessary  for  the  CA  to  check  Bob’s  identity  in  this 
case.  In  particular,  explain  why  it  is  of  no  concern  that  an  adversary  who 
has  stolen  Bob’s  private  key  can  forge  signatures  with  respect  to  pks- 
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Public-Key  Cryptosystems  in  the 
Random  Oracle  Model 


In  the  previous  three  chapters,  we  have  seen  constructions  of  public-key  en- 
cryption schemes  and  digital  signatures  based  on  a variety  of  assumptions. 
For  the  most  part,  however,  the  provably-secufe  schemes  we  have  discussed 
and  analyzed  are  not  particularly  efficient.  Specifically: 

• In  Section  10.4.3  we  sW  an  encryption  scheme  that  can  be  proven  secure 
based  on  the  RSA  assumption  (cf.  Theorem  10.19),  but  the  efficiency  of 
this  scheme  does  not  come  close  to  the  efficiency  of  the  textbook  RSA 
encryption  scheme  described  in  Section  10.4.1.  In  fact,  no  secure  encryp- 
tion scheme  based  on  RSA  with  efficiency  comparable  to  the  textbook 
RSA  encryption  scheme  is  currently  known.  (The  padded  RSA  encryp- 
tion scheme  with  £ = 0(n)  is  efficient,  but  its  security  is  not  known  to 
follow  from  the  assumption  that  the  RSA  problem  is  hard.) 

• We  have  not  shown  any  public-key  encryption  scheme  that  is  secure 
against  chosen-ciphertext  attacks.  Though  efficient  schemes  based  on 
the  decisional  Diffie-Hellman  assuniption  and  others  are  known,  there  is 
no  known  scheme  based  on  RSA  that  is  even  remotely  practical. 

• We  have  seen  only  a single  example  of  a digital  signature  scheme  that 
is  existentially  unforgeable  under  an  adaptive  chosen-message  attack. 
This  construction,  shown  in  Section  12S.2,  is  not  very  practical.  No 
signature  scherne  is  currently  known  that  can  be  proven  secure  based  on 
any  of  the  assumptions  introduced  in  this  book,  and  whose  efficiency  is 
comparable  to  the  textbook  RSA  signature  scheme. 

The  above  hold  even  if  we  are  willing  to  assume  efficient  pseudorandom  func- 
tions (that  could  be  instantiated  using  a block  cipher  such  as  DES  or  AES) 
and/or  efficient  collision- resistant  hash  functions  (that  could  be  instantiated 
using  a cryptographic  hash  function  such  as  SHA-1).  We  conclude  that  there 
are  few  public-key  cryptosystems  that  are  both:  (1)  efficient  enough  to  be 
used  in  practice,  yet  (2)  can  be  proven  secure  based  on  “standard”  crypto- 
graphic assumptions  (such  as  the  RSA,  factoring,  or  DDH  assumptions).' 


^An  exception  is  the  El  Gamal  encryption  scheme  that  is  both  efficient  and  can  be  proven 
secure  based  on  the  DDH  assumption. 
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This  state  of  affairs  presents  a challenge  to  cryptographers,  who  continue 
to  work  at  improving  the  efficiency  of  existing  schemes,  proposing  new  as- 
sumptions, and  showing  limitations  to  the  best  possible  efficiency  that  can  be 
achieved  using  existing  assumptions.  In  the  meanwhile,  we  are  left  in  prac- 
tice with  the  question  of  what  schemes  to  use.  While  one  might  suggest  to 
simply  choose  the  most  efficient  provably-secure  scheme  currently  available, 
the  reality  appears  to  be  that  people  prefer  to  use  nothing  rather  than  use  an 
inefficient  scheme.  Furthermore,  in  some  cases  existing  solutions  are  not  even 
remotely  practical.^ 

Another  possibility,  of  course,  is  to  use  an  efficient  but  completely  ad-hoc 
cryptosystem  with  no  justification  for  its  security  other  than,  perhaps,  the 
fact  that  the  designers  tried  to  attack  the  scheme  and  were  unsuccessful.  This 
flies  in  the  face  of  everything  we  have  said  so  far  about  the  importance  of  the 
rigorous,  modern  approach  to  cryptography,  and  it  should  be  clear  that  this 
is  unacceptable!  By  using  a scheme  that  merely  appears  “hard  to  break” , we 
leave  ourselves  open  to  an  adversary  who  is  more  clever  than  us  and  who  can 
break  the  scheme.  A better  alternative  must  be  sought. 


13.1  The  Random  Oracle  Methodology 

An  approach  which  has  been  hugely  successful  in  practice,  and  offers  a 
“middle  ground”  between  a fully-rigorous  proof  of  security  on  the  one  hand 
and  no  proof  whatsoever  on  the  other,  is  to  introduce  an  idealized  model  in 
which  to  prove  the  security  of  cryptographic  schemes.  Though  the  idealization 
may  not  be  an  accurate  reflection  of  reality,  we  can  at  least  derive  some 
measure  of  confidence  in  the  soundness  of  a scheme’s  design  from  a proof 
within  the  idealized  model.  As  long  as  the  model  is  reasonable,  such  proofs 
are  certainly  better  than  no  proofs  at  all. 

The  most  popular  example  of  this  approach  is  the  random  oracle  model, 
which  posits  the  existence  of  a public,  randomly-chosen  function  H that  can 
be  evaluated  only  by  “querying”  an  oracle  — which  can  be  thought  of  as  a 
“magic  box”  — that  returns  H{x)  when  given  input  x.  (We  will  discuss  in 
the  following  section  exactly  how  this  is  to  be  interpreted.)  To  differentiate 
things,  the  model  we  have  been  using  until  now  (where  no  random  oracle  is 
present)  is  often  called  the  “standard  model” . 

No  one  seriously  claims  that  a random  oracle  exists  (although  there  have 
been  suggestions  that  a random  oracle  could  be  implemented  in  practice  using 
a trusted  party) . Rather,  the  random  oracle  model  provides  a formal  method- 


^Given  the  above  discussion,  it  is  justified  to  wonder  why  the  El  Gamal  encryption  scheme 
is  not  widely  adopted  in  practice.  Indeed,  we  have  no  good  explanation  for  this. 
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ology  that  can  be  used  to  design  and  validate  cryptographic  schernes  via  the 
following  two-step  approach: 

1.  First,  a scheme  is  designed  and  proven  secure  in  the  random  oracle 
model.  That  is,  we  assume  the  world"  contains  a randorri  oracle,  and 
construct  and  analyze  a cryptographic  scheme  based  on  this  assumption. 
Standard  cryptographic  assumptions  (of  the  type  we  have  seen  until 
now)  may  be  utilized  in  the  proof  of  security  as  well. 

2.  When  we  want  to  implement  the  scheme  in  the  real  world,  a random 
oracle  is  not  available.  Instead,  the  random  oracle  H in  the  scheme 
is  instantiated  with  a cryptographic  hash  function  H such  as  SHA-1, 
modified  appropriately.  That  is,  at  each  point  where  the  scheme  dictates 
that  a party  should  query  the  oracle  for  the  value  H{x),  the  party  instead 
computes  H{x)  on  its  own. 

The  hope  is  that  the  cryptographic  hash  function  used  in  the  second  step  is 
“sufficiently  good”  at  emulating  a random  oracle,  so  that  the  security  proof 
given  in  the  first  step  will  carry,  over  to  the  real-world  instantiation  of  the 
scheme.  A difficulty  is  that  there  is  currently  no  theoretical  justification  for 
this  hope,  and  in  fact  there  exist  (contrived)  schemes  that  can  be  proven  secure 
in  the  random  oracle  model  but  are  insecure  no  matter  how  the  random  oracle 
is  instantiated  in  the  second  step.  Furthermore,  as  a practical  matter  it  is  not 
clear  exactly  what  it  means  for  a hash  function  to  be  “good”  at  emulating  a 
random  oracle,  nor  is  it  clear  that  this  is  an  achievable  goal.  For  these  reasons, 
a proof  of  security  for  a scheme  in  the  random  oracle  model  should  be  viewed 
as  providing  evidence  that  the  scheme  has  no  “inherent  design  flaws”,  but . 
should  not  be  taken  as  a rigorous  proof  that  any  real-world  instantiation  of 
the  scheme  is  secure.  Further  discussion  on  how  to  interpret  proofe  in  the 
random  oracle  model  is  given  in  Section  13.1.2. 

13.1.1  The  Random  Oracle  Model  in  Detail 

Before  continuing,  let  us  pin  down  exactly  what  the  random  oracle  model 
entails.  A good  way  to  think  about  the  random  oracle  model  is  as  follows: 
The  “oracle”  is  simply  a box  that  takes  a binary  string  as  input  and  returns 
a binary  string  as  output.  The  internal  workings  of  the  box  are  unknown  and 
inscrutable.  Everyone  — both  honest  parties  as  well  as  adversaries  — can 
interact  with  the  box,  where  such  interaction  consists  of  entering  a binary 
string  X as  input  and  receiving  a binary  string  y as  output;  we  refer  to  this  as 
querying  the  oracle  on  x,  and  call  x itself  a query  made  to  the  oracle.  Queries 
to  the  oracle  are  assumed  to  be  private  so  that  if  some  party  queries  the  oracle 
on  input  x then  no  one  else  learns  x,  or  even  learns  that  this  party  queried 
the  oracle  at  all.  This  makes  sense,  because  calls  to  the  oracle  correspond  in 
reality  to  local  (private)  evaluations  of  a cryptographic  hash  function. 
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It  is  guaranteed  that  the  box  is  consistent:  that  is,  if  the  box  ever  outputs 
y for  a particular  input  x,  then  it  always  outputs  the  same  answer  y when 
given  the  same  input  x again.  This  means  that  we  can  view  the  box  as 
implementing  a function  i.e.,  we  simply  define  the  function  H in  terms  of 
the  input /output  characteristics  of  the  box.  For  convenience,  we  thus  speak 
of  “querying  rather  than  querying  the  box.  No  one  “knows”  the  entire 
function  H (except  the  box  itself);  at  best,  all  that  is  known  are  the  values  of 
H on  the  strings  that  have  been  explicitly  queried  thus  far. 

We  now  discuss  what  it  means  to  choose  this  function  H at  random.  Any 
function  H mapping  n-bit  inputs  to  ^(n)-bit  outputs  can  be  viewed  as  a table 
indicating  for  each  possible  input  x 6 {0,  1}”  the  corresponding  output  value 
H{x)  E {0, Using  lexicographic  order  for  the  inputs,  this  means  that 
any  such  function  can  be  represented  by  a string  of  length  2”  • £{n)  bits, 
and  conversely  that  every  string  of  this  length  can  be  viewed  as  a function 
mapping  n-bit  inputs  to  ^(n)-bit  outputs.  An  immediate  corollary  is  that 

there  are  exactly  U different  functions  having  the  specified  input 

and  output  lengths.  Picking  a function  H of  this  type  uniformly  at  random 
means  choosing  H uniformly  from  among  these  U possibilities.  In  the  random 
oracle  model  as  we  have  been  picturing  it,  this  corresponds  to  initializing 
the  oracle  by  choosing  such  an  H and  having  the  oracle  answer  according 
to  H.  Note  that  storing  the  string/ table  representing  H in  any  physical 
device  would  require  an  exponential  (in  the  input  length)  number  of  bits,  so 
even  for  moderately- sized  inputs  this  is  not  something  we  can  hope  to  do  in 
the  real  world. 

An  equivalent,  but  often  more  convenient,  way  to  think  about  choosing  a 
function  H uniformly  at  random  is  to  imagine  generating  random  outputs  for 
H “on-the-fly,”  as  needed.  Specifically,  imagine  that  the  fimction  is  defined 
by  a table  of  pairs  {(x^,  yi)}  that  is  initially  empty.  When  the  oracle  receives  a 
query  x it  first  checks  whether  x = Xi  for  some  pair  (xi,  yi)  in  the  table;  if  so, 
the  corresponding  yi  is  returned.  Otherwise,  a random  string  y E {0, is 
chosen,  the  answer  y is  returned,  and  the  oracle  stores  (x,y)  in  its  table  so  the 
same  output  can  be  returned  if  the  same  input  is  ever  queried  again.  While 
one  could  imagine  carrying  this  out  in  the  real  world,  this  is  further  from 
our  conception  of  “fixing”  the  function  H once-and-for-all  before  beginning 
to  run  some  cryptographic  scheme.  Prom  the  point  of  view  of  the  parties 
interacting  with  the  oracle,  however,  it  is  completely  equivalent.  We  remark 
that  viewing  H as  choosing  output  values  “on-the-fly”  also  makes  things  much 
easier  (technically  as  well  as  conceptually)  when  H is  defined  over  an  infinite 
domain  such  as  {0, 1}*. 

When  we  defined  pseudorandom  functions  in  Section  3.6.1,  we  also  consid- 
ered algorithms  having  oracle  access  to  a random  function.  Lest  there  be  any 
confusion,  we  note  that  the  usage  of  a random  function  there  is  very  different 
from  the  usage  of  a random  function  here.  There,  a random  function  was 
used  as  a way  of  defining  what  it  means  for  a concrete  keyed  function  to  be 
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pseudorandom.  In  the  random  oracle  model,  the  random  function  is  used  as 
part  of  the  construction  of  the  primitive,  and  so  must  somehow  be  instantiated 
in  the  real  world  if  we  want  a concrete  realization  of  the  primitive. 

Security  Proofs  in  the  Random  Oracle  Model 

(This  section  may  be  skipped  on  a first  reading,  and  should  be  more  clear 
after  reading  the  proofs  in  Sections  13.2  and  13.3.) 

Definitions  and  security  proofs  in  the  random  oracle  model  are  a bit  dif- 
ferent from  their  counterparts  in  the  standard  model  that  we  are,  by  now, 
familiar  with.  In  the  standard  model,  we  have  a concrete  scheme  II,  an  exper- 
iment Expt^  n defined  for  II  and  any  adversary  A,  and  a value  7 indicating 
the  maximum  desired  probability  of  some  “bad”  event  (e.g.,  for  encryption 
7=1  and  for  signatures  7 = 0).  A definition  of  security  for  II  then  takes 
the  following  general  form:  the  scheme  II  is  secure  if,  for  any  probabilistic 
polynomial-time  adversary  A we  have 

Pr[Expt^  = 1]  < 7 + negl(n), 

where  the  probability  is  taken  over  the  random  choices  of  the  parties  running  II 
and  those  of  the  adversary  A.  Parties  who  use  II  (in  the  real  world)  will  make 
random  choices,  and  so  the  above  guarantees  security  in  real-world  usage  of 
the  scheme. 

In  the  random  oracle  model,  in  contrast,  a scheme  II  will  be  defined  in  such 
a way  that  it  relies  on  an  oracle  H.  A concrete  scheme  is  only  obtained  by 
fixing  H and,  here,  we  let  11^  denote  the  scheme  that  is  obtained  in  this  way. 
(We  will  not  make  this  explicit  in  later  sections.)  A definition  of  security  for 
n then  takes  the  following  general  form:  II  is  secure  if,  for  any  probabilistic 
polynomial- time  adversary  A we  have 

Pr[Expt^H  = 1]  < 7 + negl(n). 

(We  also  give  A oracle  access  to  H since  this  is  the  only  way  for  v4  to  evalu- 
ate H.  Again,  we  will  not  make  this  explicit  in  later  sections.)  Now,  however, 
the  above  probability  is  taken  over  random  choice  of  H as  well  as  the  ran- 
dom choices  of  the  parties  running  II  and  those  of  the  adv^sary  A.  It  is 
precisely  because  the  probability  is  now  also  taken  over  choice  of  H that  we 
speak  of  if  as  a random  oracle. 

To  use  n in  the  real  world,  some  H must  be  fixed.  Unfortunately,  security 
of  n is  not  guaranteed  for  any  particular  function  H but  is  instead  only 
guaranteed  with  all  but  negligible  probability  over  random  choice  of  H.  (This 
is  analogous  to  the  fact  that  a scheme  secure  in  the  standard  model  is  ^ot 
guaranteed  to  be  secure  for  any  particular  set  of  random  choices  made  by  the 
honest  parties  but  only  with  high  probability  over  these  random  choices.)  This 
indicates  one  reason  why  it  is  difficult  to  argue  that  any  concrete  instantiation 
of  the  oracle  id  by  a deter minisl^ic  function  like  SHA-1  yields  a real-world 
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implementation  of  II  that  is  actually  secure:  for  all  we  know,  SHA-1  may 
be  one  of  the  functions  for  which  the  scheme  happens  to  be  insecure.  An 
additional  difficulty  is  that  once  a concrete  function  H is  fixed,  the  adversary 
A is  no  longer  restricted  to  querying  H as  an  oracle  but  can  instead  look  at 
the  code  of  H and  use  this  additional  information  in  the  course  of  its  attack. 

Simple  Illustrations  of  the  Random  Oracle  Model 

At  this  point  some  examples  may  be  helpful.  The  examples  given  here 
are  rather  simple,  do  not  use  the  full  power  that  the  random  oracle  model 
affords,  and  do  not  really  illustrate  any  of  the  limitations  of  the  random 
oracle  methodology;  the  intention  of  including  these  examples  is  merely  to 
provide  a gentle  introduction  to  the  use  of  the  model. 

In  all  that  follows,  we  assume  a random  oracle  mapping  ni-bit  inputs  to  U2- 
bit  outputs  where  ni , n2  > n,  the  security  parameter.  (Technically  speaking, 
ni  and  U2  are  thus  functions  of  n.) 

A random  oracle  as  a one-way  function.  We  first  show  that  a random 
oracle  acts  like  a one-way  function!  Note  that  we  do  not  say  that  a random 
oracle  is  a one-way  function,  since  (as  discussed  in  the  previous  section)  a 
random  oracle  is  not  a fixed  function.  Rather,  what,  we  claim  is  that  any 
polynomial-time  adversary  A succeeds  with  only  negligible  probability  in  the 
following  experiment: 

1.  A random  function  H is  chosen. 

2.  A random  input  x € {0, 1}”^  is  chosen,  and  y :=  H{x)  \s  evaluated. 

3.  A is  given  y,  and  succeeds  if  it  outputs  a value  x'  such  that  H{x')  = y. 

We  stress  that  A can  query  the  oracle  H arbitrarily  many  times  in  this  exper- 
iment. (Recall  that  H is  assumed  to  be  accessible. to  everyone.)  This  makes 
sense  because,  in  reality,  the  oracle  is  replaced  by  a concrete  function  that  is 
known  to  everyone,  including  the  adversary. 

We  now  argue  why  any  polynomial-time  A succeeds  in  the  above  experiment 
with  only  negligible  probability.  Assume  without  loss  of  generality  that  A 
never  makes  the  same  query  to  if  twice,  and  that  the  value  x'  output  by  A 
was  queried  by  A to  the  oracle.  Assume  further  that  if  A ever  makps  a query 
Xi  with  H{xi)  = y,  then  A succeeds.  (This  just  means  that  A does  not  act 
stupidly  and  fail  to  output  a correct  answer  if  it  finds  one.)  Then  the  success 
probability  of  A in  the  above  experiment  is  exactly  the  same  as  the  success 
probability  of  A in  the  following  experiment  (to  see  why,  it  helps  to  recall 
the  discussion  from  the  previous  section  regarding  “on- the- fly”  selection  of  a 
random  function) : 
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1.  A random  x G {0, 1}”^^  is  chosen,  and  a random  value  y G {0, 1}”^  is 
given  to  A. 

2.  Each  time  A makes  a query  Xi  to  the  random  oracle,  do: 

• If  Xi  = x^  then  A immediately  succeeds. 

• Otherwise,  choose  a random  yi  G {0, 1}”^.  \i  yi  = y then  A imme- 
diately succeeds;  if  not,  return  yi  to  A as  the  answer  to  the  query 
and  continue  the  experiment. 

Let  q be  the  number  of  queries  A makes  to  the  oracle,  with  q = pbly(n) 
since  A runs  in  polynomial  time.  Since  y is  completely  independent  of  x,  the 
probability  that  A succeeds  by  querying  Xi  = x for  some  i is  at  most  qf2'^^. 
Furthermore,  since  the  answer  yi  is  chosen  at  random  when  the  query  Xi  is 
not  equal  to  x,  the  probability  that  A succeeds  because  yi  = y for  some  i is 
at  most  ql^P"^ . Since  ni,n2  > n the  probability  that  A succeeds  is  therefore 
at  most  ^qj^A  = poly(n)/2",  which  is  negligible. 

A random  oracle  as  a collision-resistant  hash  function.  It  is  not  much 
more  difficult  to  see  that  a random  oracle  also  acts  like  a collision-resistant 
hash  function.  That  is,  the  success  probability  of  any  polynomial-time  adver- 
sary A in  the  following  game  is  negligible: 

1.  A random  function  H is  chosen. 

2.  A succeeds  if  it  outputs  x,x'  with  H{x)  = H{x')  but  x ^ x' . 

To  see  this,  assume  without  loss  of  generality  that  A only  outputs  values  x,  x' 
that  it  had  previously  queried  to  the  oracle,  and  that  A never  makes  the  same 
query  to  the  oracle  twice.  Letting  the  oracle  queries  of  A be  xi  , . . . , Xq,  with 
q = poly(n),  it  is  clear  that  the  probability  that  A succeeds  is  upper-bounded 
by  the  probability  that  H{xi)  = H{xj)  for  some  i ^ j.  Viewing  the  choice 
of  a random  H as  being  computed  “on-the-fly” , this  is  exactly  equal  to  the 
probability  that  if  we  pick  strings  yi,.. ye  € {0, 1}”'^  independently  and 
uniformly  at  random,  we  have  yi  = yj  for  some  i ^ j.  The  problem  has  now 
been  transformed  into  an  example  of  the  birthday  problem.  Using  the  results 
. of  Appendix  A.4  we  see  that  A succeeds  with  probability  0{q^  12'^^),  which  is 
negligible. 

Constructing  a pseudorandom  function  from  a random  Oracle.  It  is 

also  rather  easy  to  construct  a pseudorandom  function  in  the  random  oracle 
model  (though  the  proof  is  not  quite  as  trivial  as  in  the  examples  above). 
Suppose  ni  = 2n  and  U2  = n.  Then  define 

Ft(x) 

where  (A;|  = |x|  = n.  We  claim  that  this  is  a pseudorandom  function;  namely, 
for  any  polynomial-time  A the  success  probability  of  A in  the  following  ex- 
periment is  at  most  negligibly  greater  than  1/2: 
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1.  A random  function  H,  a random  k G {0,  l}”^,  and  a random  bit  h are 
chosen. 

2.  If  6 = 0,  the  adversary  A is  given  access  to  an  oracle  for  Fk{-).  If  6 = 1, 
then  A is  given  access  to  a random  function  mapping  n-bit  inputs  to 

n-bit  outputs.  (This  random  function  is  independent  of  H.) 

3.  A outputs  a bit  b' , and  succeeds  if  b = b'. 

In  step  2,  A can  access  H in  addition  to  the  function  oracle  provided  to 
it  by  the  experiment.  (For  this  reason,  H itself  — with  no  key  — is  not 
a pseudorandom  function.  In  other  words,  a pseudorandom  function  in  the 
random  oracle  model  must  be  indistinguishable  from  random  even  given  access 
to  H.)  In  Exercise  13.1  you  axe  asked  to  show  that  the  construction  above 
indeed  gives  a pseudorandom  function. 

An  interesting  aspect  of  all  the  above  proofs  is  that  they  hold  even  for 
computationally-unbounded  adversaries,  as  long  as  such  adversaries  are  limited 
to  making  only  polynomially-many  queries  to  the  oracle.  This  has  no  real- 
world  counterpart  where,  for  example,  any  function  can  be  inverted  by  an 
adversary  running  for  an  unlimited  amount  of  time  and,  moreover,  there  is  no 
way  to  define  what  it  means  to  “evaluate  a function”  polynomially-many  times 
(since  it  may  be  possible  to  determine  the  output  of  a function  at  multiple 
points  without  explicitly  computing  the  function). 

Advanced  Proof  Techniques  in  the  Random  Oracle  Model 

The  preceding  examples  may  not  make  clear  that  the  random  oracle  model 
enables  certain  proof  techniques  that  have  no  counterpart  in  the  standard 
model,  precisely  due  to  the  fact  that  the  adversary  is  given  only  oracle  access 
to  H (and  cannot  evaluate  H on  its  own).  We  sketch  these  proof  techniques 
here,  but  caution  the  reader  that  a full  understanding  will  likely  have  to  wait 
until  later  in  this  chapter  when  these  techniques  are  used  in  the  proofs  of  some 
concrete  schemes. 

A first  distinctive  feature  of  the  random  oracle  model,  used  already  in  the 
previous  section,  is: 

If  an  adversary  A has  not  explicitly  queried  the  oracle  on  some 
point  X,  then  the  value  of  H{x)  is  completely  random  ( at  least 
as  far  as  A is  concerned). 

This  may  seem  superficially  similar  to  the  guarantee  provided  by  a pseudo- 
random generator,  but  is  actually  quite  different.  If  G is  a pseudorandom 
generator  then  G{x)  is  pseudorandom  to  an  observer  assuming  x is  chosen 
uniformly  at  random  and  is  completely  unknown  to  the  observer.  For  H a 
random  oracle,  however,  H{x)  is  truly  random  as  long  as  the  adversary  has 
not  queried  x.  This  is  true  even  if  x is  known.  Or  if  x is  not  chosen  uniformly 
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at  random  but  is  chosen  with  enough  uncertainty  t o make  guessing  x difficult. 
(E.g.,  if  a;  is  an  n-bit  string  where  the  first  half  of  x is  known  and  the  last  half 
is  random  then  G{x)  might  be  easy  to  distinguish  from  random  but  H{x)  will 
not  be.) 

Say  we  are  trying  to  prove  security  of  some  scheme  in  the  random  oracle 
model.  As  in  the  rest  of  the  book,  we  will  construct  a reduction  showing  how 
any  adversary  A breaking  the  security  of  the  scheme  (in  the  random  oracle 
model)  can  be  used  to  violate  some  cryptographic  assumption.^  As  part  of 
the  reduction,  the  random  oracle  with  which  A interacts  must  be  simulated. 
That  is:  A will  submit  queries  to,  and  receive  answers  from,  what  it  believes 
to  be  the  oracle,  but  the  reduction  itself  must  now  answer  these  queries.  This 
turns  out  to  give  a lot  of  power.  For  starters: 

The  reduction  may  choose  values  for  the  output  of  H as  it  likes 
(as  long  as  these  values  are  correctly  distributed,  i.e.,  uniformly 
random). 

This  is  sometimes  called  “programmability”.  Although  it  may  not  seem  like 
programmability  confers  any  advantage,  it  does;  this  is  perhaps  illustrated 
best  by  the  proof  of  Theorem  13.11. 

Another  advantage  that  is  derived  from  the  fact  that  the  reduction  is  able 
to  simulate  the  random  oracle  is: 

The  reduction  “sees”  all  the  queries  that  A makes  to  the  random 
oracle. 

(This  does  not  contradict  the  fact,  mentioned  earlier,  that  queries  to  the 
random  oracle  are  “private”.  While  that  is  true  in  the  formal  model  itself, 
here  we  are  using  A as  a subroutine  within  a reduction.)  This  also  turns  out  to 
be  extremely  useful,  as  the  proofs  of  Theorems  13.2  and  13.6  will  demonstrate. 

There  is  no  counterpart  to  either  of  the  above  once  the  oracle  H is  in- 
stantiated as  a concrete  function  H.  Once  H is  fixed  at  the  outset  of  some 
experiment,  the  reduction  can  no  longer  set  the  values  for  the  output  of  H as 
it  likes,  and  can  no  longer  “see”  the  inputs  on  which  A is  evaluating  H.  This 
is  discussed  in  further  detail  below. 

13.1.2  Is  the  Random  Oracle  Methodology  Soimd? 

Recall  that  schemes  proven  secure  in  the  random  oracle  model  are  imple- 
mented in  the  real  world  by  instantiating  H with  some  concrete  function. 
With  the  mechanics  of  the  random  oracle  model  behind  us,  we  turn  to  mote 
fundamental  questions  such  as: 


^In  contrast,  the  proofs  of  one-wayness,  collision-resistance,  and  pseudorandomness  in  the 
previous  section  were  information-theoretic  and  were  not  based  on  any  cryptographic  as- 
sumption. 
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• What  do  proofs  of  security  in  the  random  oracle  model  guarantee  in  the 
real  world? 

• Are  proofs  in  the  random  oracle  model  fundamentally  different  from 
proofs  in  the  standard  model? 

We  highlight  at  the  outset  that  these  questions  do  not  currently  have  any 
definitive  answers:  there  is  currently  much  debate  within  the  cryptographic 
community  regarding  the  role  played  by  the  random  oracle  model,  and  an 
active  area  of  research  is  to  determine  what,  exactly,  a proof  of  security  in  the 
random  oracle  model  does  guarantee  in  the  real  world.  We  can  only  hope  to 
give  a flavor  of  both  sides  of  the  debate. 

Objections  to  the  rcoidom  oracle  model.  The  starting  point  for  ar- 
guments against  using  random  oracles  is  simple:  as  we  have  already  noted, 
there  is  no  formal  or  rigorous  justification  for  believing  that  a proof  of  secu- 
rity for  some  scheme  II  in  the  random  oracle  model  implies  anything  about 
the  security  of  II  in  the  real  world  (i.e.,  once  the  random  oracle  H has  been 
instantiated  with  any  particular  hash  function  H).  These  are  more  than  just 
theoretical  misgivings.  A more  basic  issue  is  that  no  concrete  hash  function 
can  ever  act  as  a “true”  random  oracle.  For  example,  in  the  random  oracle 
model  the  value  H{x)  is  “completely  random”  if  x was  not  explicitly  queried. 
The  counterpart  would  be  to  require  that  H{x)  is  random  (or  pseudorandom) 
if  H was  not  explicitly  evaluated  on  x.  How  are  we  to  interpret  this  in  the 
real  world?  For  starters,  it  is  not  even  clear  what  it  means  to  “explicitly 
evaluate”  H:  what  if  an  adversary  knows  some  shortcut  for  computing  H 
that  doesn’t  involve  running  the  actual  code  for  HI  Moreover,  H (a;)  cannot 
possibly  be  random  (or  even  pseudorandorn)  since  once  the  adversary  learns 
the  description  of  the  value  of  that  function  on  all  inputs  is  immediately 
defined. 

Limitations  of  the  random  oracle  model  become  more  clear  once  we  examine 
the  proof  techniques  introduced  in  Section  13.1.1.  As  an  example,  recall  that 
one  proof  technique  is  to  use  the  fact  that  a reduction  algorithm  can  “see” 
the  queries  that  an  adversary  A makes  to  the  random  oracle.  But  if  we 
replace  the  random  oracle  by  a particular  hash  function  H,  this  means  that 
we  must  provide  a description  of  H to  the  adversary  at  the  beginning  of  the 
experiment.  But  then  >4  can  evaluate  H on  its  own,  without  making  any 
explicit  queries,  and  so  a reduction  will  no  longer  have  the  ability  to  “see” 
any  queries  made  by  A.  (In  fact,  as  noted  in  the  previous  paragraph,  the 
notion  of  A performing  distinct  evaluations  of  H may  not  even  be  true  and 
certainly  cannot  be  formally  defined.)  Likewise,  the  reduction  algorithm  can 
choose  the  outputs  of  H as  it  wishes,  something  that  is  clearly  not  true  when 
a concrete  functioi^  is  used. 

Even  if  we  are  willing  to  overlook  the  above  theoretical  concerns,  a practical 
problem  is  that  we  do  not  currently  have  a very  good  understanding  of  what  it 
means  for  a concrete  hash  function  to  be  “sufficiently  good”  at  instantiating  a 
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random  oracle.  For  concreteness,  say  we  want  to  instantiate  the  random  oracle 
using  (some  appropriate  modification  of)  SHA-1.  While  for  some  particular 
scheme  II  it  might  be  reasonable  to  assume  that  II  is  secure  when  instantiated 
using  SHA-1,  it  is  much  less  reasonable  to  assume  that  SHA-1  can  take  the 
place  of  the  random  oracle  in  every  scheme  designed  in  the  random  oracle 
model.  Indeed,  as  we  have  said  earlier,  we  know  that  SHA-1  is  not  a random 
oracle.  And  it  is  not  hard  to  design  a scheme  that  can  be  proven  secure  in 
the  random  oracle  model,  but  is  completely  insecure  when  the  random  oracle 
is  replaced  by  SHA-1.  (See  Exercise  13.2.) 

We  emphasize  that  an  assumption  of  the  form  “SHA-1  acts  like  a random 
oracle”  is  significantly  different  from  an  assumption  of  the  form  “SHA-1  is 
collision-resistant”  or  “AES  is  a pseudorandom  function.”  The  problem  lies 
partly  with  the  fact  that  we  do  not  have  a satisfactory  definition  of  what 
the  first  statement  means,  while  we  do  have  such  definitions  for  the  latter  two 
statements.  In  particular,  a random  oracle  is  not  the  same  as  a pseudorandom 
function:  the  latter  is  a keyed  function  that  can  only  be  evaluated  when  the 
key  is  known,  and  is  only  “random-looking”  when  the  key  is  wnknown.  In 
contrast,  a random  oracle  is  an  unkeyed  function  that  can  be  evaluated  by 
anyone,  yet  is  supposed  to  remain  “random-looking”  in  some  ill-defined  sense. 

Because  of  this,  using  the  random  oracle  model  to  prove  security  of  a_  scheme 
is  qualitatively  different  firom,  e.g.,  introducing  a new  cryptographic  assump- 
tion in  order  to  prove  a scheme  secure  in  the  standard  model;  therefore,  proofs 
of  security  in  the  random  oracle  model  are  less  desirable  and  less  satisfying 
than  proofs  of  security  in  the  standard  model.  The  division  of  the  chapters 
in  this  book  can  be  taken  as  an  endorsement  of  this  preference. 

Support  for  the  random  oracle  model.  Given  all  the  problems  with  the 
random  oracle  model,  why  do  we  use  it  at  all?  More  to  the  point:  why  has  the 
random  oracle  model  been  so  influential  in  the  development  of  modern  cryp- 
tography (especially  current  practical  usage  of  cryptography),  and  why  does 
it  continue  to  be  so  widely  used?  As  we  will  see,  the  random  oracle  model  cur- 
rently enables  the  design  of  substantially  more  efficient  schemes  than  those  we 
know  how  to  construct  in  the  standard  model.  As  such,  there  are  few  (if  any) 
public-key  cryptosystems  used  today  having  proofe  of  security  in  the  stan- 
dard model,  while  there  are  numerous  widely-deployed  schemes  having  proofs 
of  security  in  the  random  oracle  model.  In  addition,  proofs  in  the  random  or- 
acle model  are  almost  universally  recognized  as  important  for  schemes  being 
considered  as  standards.  The  random  oracle  model  has  increased  the  confi- 
dence we  have  in  certain  efficient  schemes,  and  has  played  a major  role  in  the 
increasing  pervasiveness  with  which  cryptographic  algorithms  are  deployed. 

The  fundamental  reason  is  the  belief,  with  which  we  concur,  that: 

A proof  of  security  in  the  random  oracle  model  is  significantly 

better  than  no  proof  at  all. 

Though  some  disagree,  we  offer  the  following  in  support  of  this  assertion: 
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• A proof  of  security  for  a given  scheme  in  the  random  oracle  model  in- 
dicates that  the  scheme’s  design  is  “sound”,  in  the  sense  that  the  only 
possible  weaknesses  in  a real-world  instantiation  of  the  scheme  are  those 
that  arise  due  to  a weakness  in  the  hash  function  used  to  instantiate  the 
random  oracle.  Said  differently,  a proof  in  the  random  oracle  model 
indicates  that  the  only  way  to  “break”  the  scheme  in  the  real  world  is 
to  “break”  the  hash  fiinction  itself  (in  some  way).  Thus,  if  the  hash 
function  is  “good  enough”  we  have  some  confidence  in  the  security  of 
the  scheme.  Moreover,  if  a given  instantiation  of  the  scheme  is  success- 
fully attacked,  we  can  simply  replace  the  hash  function  being  used  with 
a “better”  one. 

• Importantly,  there  have  been  few  real-world  attacks  on  “natural”  schemes 
proven  secure  in  the  random  oracle  model.  (We  do  not  include  here  at- 
tacks on  “contrived”  schemes  like  that  of  Exercise  13.2,  but  remark  that 
great  care  must  be  taken  in  instantiating  the  random  oracle  as  indi- 
cated by  the  scheme  in  Exercise  13.3  which  was  once  widely  used.)  This 
gives  evidence  to  the  usefulness  of  the  random  oracle  model  in  designing 
practical  schemes. 

Nevertheless,  the  above  ultimately  represent  only  intuitive  speculation  as  to 
the  usefulness  of  proofs  in  the  random  oracle  model,  and  proofs  in  the  standard 
model  are  still,  all  other  things  being  equal,  preferable.  Understanding  exactly 
what  proofs  in  the  random  oracle  model  guarantee  in  the  real  world  remains 
an  important  research  question  facing  cryptographers  today. 

Summary  and  recommendations.  Using  a scheme  that  is  proven  secure 
in  the  random  oracle  model  is  significantly  better  than  using  a scheme  having 
no  proof  of  security  at  all.  However,  when  a reasonably-efficient  construction 
having  a proof  of  security  in  the  standard  model  is  known  (even  if  it  is  slightly 
less  efficient  than  another  construction  that  relies  on  random  oracles),  we 
recommend  using  this  instead. 

Instantiating  the  Random  Oracle 

Multiple  times  already  in  this  chapter,  we  have  stated  that  the  random 
oracle  can  be  instantiated  in  practice  using  “an  appropriate  modification  of  a 
cryptographic  hash  function”.  In  fact,  matters  are  complicated  by  a number 
of  issues  including: 

- • Existing  cryptographic  hash  functions  almost  all  follow  the  Merkle- 
Damgard  paradigm  (cf.  Section  4.6.4),  and  can  therefore  be  distin- 
guished relatively  easily  from  a random  oracle  when  variable-length  in-, 
puts/are  allowed.  See  Exercise  13.3. 

• Frequently,  it  is  necessary  for  the  output  of  the  random  oracle  to  have  a 
certain  form;  e.g.,  the  oracle  should  output  elements  of  rather  than 
bit-strings.  Cryptographic  hash  functions,  of  course,  output  bit-strings 
only. 
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A detailed  discussion  of  how  these  issues  can  be  dealt  with  in  practice  is 
beyond  the  scope  of  this  book;  our  aim  is  merely  to  alert  the  reader  to  the 
subtleties  that  arise. 


”1 ^ ^ 

13.2  Public-Key  Encryption  in  the  Random  Oracle  Model 

In  this  section  we  present  various  public-key  encryption  schemes  in  the 
random  oracle  model.  We  present  these  constructions  based  on  the  RSA 
problem,  both  for  convenience  as  well  as  because  these  constructions  are  most 
frequently  instantiated  using  RSA  in  practice.  We  remark,  however,  that 
they  can  all  be  instantiated  using  an  arbitrary  trapdoor  permutation  (see 
Section  10.7.1). 

13.2.1  Security  Against  Chosen-Plaintext  Attacks 

The  secure  public -key  encryption  scheme  we  have  previously  seen  based 
on  RSA  (cf.  Theorem  10.19)  was  both  inefficient  and  difficult  to  prove  se- 
cure; indeed,  we  offered  no  proof.  In  the  random  oracle  model,  things  become 
significantly  easier.  Consider  the  following  scheme,  described  formally  in  Con- 
struction 13.1.  As  usual  for  RSA-based  schemes,  the  public  key  is  {N,e)  and 
the  private  key  is  {N,d).  To  encrypt  a message  m € {0, the  sender 
chooses  a random  r *—  and  sends  the  ciphertext 

([r®  mod  A],  i7(r)  0 m), 

where  is  a function,  modeled  as  a random  oracle,  mapping  elements  of 
to  strings  of  length  i{n). 


CONSTRUCTION  13.1 

Let  GenRSA  be  as  usual,  and  let  £{n)  be  an  arbitrary  polynomial.  Let  H 
be  a function  whose  domain  can  be  set  to  for  any  A,  and  whose  range 
can  be  set  to  {0,  for  any  n.  Construct  a public-key  encryption 

scheme  as  follows: 

• Gen:  on  input.  1”^,  run  GenRSA(l”)  to  compute  (A,  e,  d).  The 
public  key  is  (A,  e)  and  the  private  key  is  (A,  d). 

• Enc:  on  input  a public  key  (A,  e)  and  a message  m G {0, 1}^^”) , 
choose  a random  r ^ Z)v  and  output  the  ciphertext 

([r®  mod  A],  H{r)  © m) . 

• Dec:  on  input  a private  key  (N^d)  and  a ciphertext  (ci,  C2),  com- 
pute r :=  [cf  mod  A]  and  then  output  the  message  H{r)  © C2. 
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Assuming  that  the  RSA  problem  is  hard  relative  to  GenRSA,  we  can  argue 
intuitively  that  the  scheme  is  CPA-secure  in  the  random  oracle  model  as 
follows:  since  r is  chosen  at  random  it  is  infeasible  for  an  eavesdropping 
adversary  to  recover  r from  Ci  = [r®  mod  N].  The  adversary  will  therefore 
never  query  r to  the  random  oracle,  and  so  the  value  H(r)  is  completely 
random  from  the  adversary’s  point  of  view.  But  then  C2  is  just  a “one-time 
pad” -like  encryption  of  m using  the  random  value  H(r),  and  so  the  adversary 
gets  no  information  about  m.  This  intuition  is  developed  into  a formal  proof 
below. 

The  proof,  as  indicated  by  the  intuition  above,  relies  heavily  on  the  fact 
that  if  is  a random  oracle,  and  does  not  work  if  if  is  replaced  by,  e.g.,  a 
pseudorandom  generator  G.  The  reason  is  that  the  RSA  assumption  iihplies 
only  that  (roughly  speaking)  an  adversary  cannot  recover  r from  [r®  mod  N] , 
hut  says  nothing  about  what  partial  information  about  r the  adversary  might 
recover.  For  instance,  it  may  be  the  case  that  the  adversary  can  compute  half 
the  bits  of  r,  and  in  this  case  we  can  no  longer  claim  that  G{r)  is  pseudoran- 
dom (since  pseudorandomness  of  G{r)  requires  r to  be  completely  random). 
However,  when  if  is  a random  oracle  it  does  not  matter  if  partial  information 
about  r is  leaked;  if(r)  is  random  as  long  as  r has  not  been  explicitly  queried 
to  the  oracle. 

THEOREM  13.2  If  the  RSA  problem  is  hard  relative  to  GenRSA  and 
if  is  modeled  as  a random  oracle,  Construction  13.1  has  indistinguishable 
encryptions  under  a chosen-plaintext  attack. 

PROOF  Let  n denote  Construction  13.1.  As  usual,  ^ prove  that  H h^ 
indistinguishable  encryptions  in  the  presence  of  an  eavesdropper;  by  Theo- 
rem 10.10  this  implies  that  H is  CPA-secure. 

Let  >1  be  a probabilistic  polynomial-time  adversary,  and  define 

£(n)  fe' Pr[PubKXn(n)  = 1|.  , 

For  the  reader’s  convenience,  we  describe  the  steps  of  experiment  PubK^^n(^)- 
We  highlight  the  fact  that  if  is  chosen  at  random  as  part  of  the  experiment, 
as  discussed  pireviously. 

1.  A random  function  H is  chosen. 

2.  GenRSA^l”^)  is  run  to  generate  (N,e,d).  A is  given  pk  = 

{N,  e),  and  may  query  H{-).  Eventually,  A outputs  two  mes- 
sages mo, mi  € {0, 1}'*"), 

3.  A random  hit  6 ■«—  {0, 1}  and  a random  r are  chosen, 

and  A is  given  the  ciphertext  ([r®  mod  A”],  H{r)  © mb) ■ The 
adversary  may  continue  to  query  if(-). 
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4-  A then  outputs  a hit  b' . The  output  of  the  experiment  is 
defined  to  be  1 if  b'  = h,  and  0 otherwise. 

In  an  execution  of  experiment  PubK^jj(n),  let  Query  denote  the  event  that, 
at  any  point  during  its  execution,  A queries  r to  the  random  oracle  H (where 
r is  the  value  used  to  generate  the  challenge  ciphertext).  We  also  use  Success 
as  shorthand  for  the  event  that  PubK^''n(n)  = 1.  Then 

Pr[Success]  = Pr  [Success  A Query]  +Pr[SuccessA  Query] 

< Pr  [Success  A Query]  + Pr[Query] , 

where  all  probabilities  are  taken  over  the  randomness  used  in  experiment 
PubK^['n(n).  We  show  that  Pr  [Success  A Query]  and  that  Pr  [Query]  is 
negligible.  The  theorem  follows. 

CLAIM  13.3  If  H is  modeled  as  a random  oracle,  then 

Pr  [Success  A Query]  < 


If  Pr[Query]  = 0 then  the  claim  is  immediate.  Otherwise,  we  have 

Pr  [Success  A Query]  = Pr  [Success  | Query]  • Pr[Query] 

< Pr  [Success  I Query]  . 

Furthermore,  Pr  [Success  [ Query]  = This  is  an  immediate  consequence 
of  what  we  said  earlier:  namely,  that  if  A does  not  explicitly  query  r to  the 
oracle  then  H{r)  is  completely  random  from  >4’s  point  of  view,  and  so  >4  has  no 
information  as  to  whether  mo  or  mi  was  encrypted.  (This  is  exactly  as  in  the 
case  of  the  one-time  pad  encryption  scheme.)  Therefore,  the  probability  that 
b'  = b when  Query  does  not  occur  is  exactly  The  reader  should  convince 
him  or  herself  that  this  intuition  can  be  turned  into  a formal  proof. 

CLAIM  13.4  If  the  RSA  problem  is  hard  relative  to  GenRSA  and  H is 
modeled  as  a random  oracle,  then  Pr[Query]  is  negligible. 

The  intuition  here  is  that  if  Query  is  not  negligible  then  we  can  use  A to  solve 
the  RSA  problem  with  non-negligible  probability  as  follows:  given  inputs  N,  e, 
and  Cl  € give  to  A the  public  key  {N,e)  and  ciphertext  (ci,C2),  where 
C2  ^ {0.1}<w  is  a random  string.  Then  monitor  all  the  queries  that  A makes 
to  the  random  oracle.  (See  the  discussion  in  Section  13.1.1.)  If  Query  occurs 
then  one  of  .4’s  queries  r satisfies  r®  = ci  mod  N,  and  so  we  can  output  r 
as  the  answer.  We  therefore  solve  the  RSA  problem  with  probability  exactly 
Pr[Query] , which  must  be  negligible  because  the  RSA  problem  is  hard  relative 
to  GenRSA. 
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Formally,  consider  the  following  algorithm: 

Algorithm  A': 

The  algorithm  is  given  (N,e,ci)  as  input. 

1.  Choose  a random  {0, 

/*  A'  implicitly  sets  H(f)  = k,  where  f [c\^^  mod  A]. 

Note,  however,  that  A'  does  not  know  f.*/ 

2.  Run  A on  input  the  public  key  pk  = {N,  e) . Store  pairs  of 
strings  (•,  •)  in  a table,  initially  empty.  When  A makes  a 
query  x to  the  random  oracle  H,  answer  it  as  follows: 

• If  there  is  an  entry  (x,  k)  in  the  table,  return  k. 

• If  = Cl  mod  N,  return  k and  store  (a:,  k)  in  the  table. 

(In  this  case  we  have  x = f,  for  r defined  as  above.) 

• Otherwise,  choose  a random  A:  {0,  return  k to 

A,  and  store  (x,k)  in  the  table. 

3.  At  some  point,  A outputs  messages  mo,  mi  € {0, 

4.  Choose  a random  b •«—  {0, 1}  and  set  C2  :=  0 mj,.  Give 

A the  ciphertext  (ci,C2).  Continue  answering  random  oracle 
queries  as  before. 

5.  At  the  end  of  A’s  execution  (after  it  has  output  its  guess  b'), 
let  xi,. . . ,Xp  be  the  list  of  all  oracle  queries  made  by  A.  If 
there  exists  an  i for  which  xf  = ci  mod  A,  output  Xi. 

It  is  immediate  that  A'  runs  in  polynomial  time.  Say  the  input  to.  A' 
is  generated  by  running  GenRSA(l”^)  to  obtain  (AT,  e,  d)  and  then  choosing 
Cl  at  random  (see  Definition  7.46).  Then  the  view  of  A when  run  as 

a subroutine  by  A'  is  distributed  identically  to  the  view  of  A in  experiment 
PubK^ji(n).  (In  each  case  (N,e)  is  generated  the  same  way;  ci  is  equal  to 
[r®  mod  N]  for  a randomly-chosen  r <—  and  the  random  oracle  queries  of 
A are  answered  with  random  strings.)  Thus,  the  probability  of  event  Query 
remains  unchanged.  Furthermore,  A'  correctly  solves  the  given  RSA  instaiiCe 
whenever  Query  occurs.  That  is, 

Pr[RSA-inv^/,GenRSA(n)  = 1]=  Pr  [Query]. 

Since  the  RSA  problem  is  hard  relatiye  to  Gen  RSA,  it  must  be  the  case  that 
PrfQuery]  is  negligible.  This  concludes  the  proof  of  the  claim,  and  hence  the 
proof  of  the  theorem.  I 


A critical  aspect  of  the  above  proof  is  that  the  reduction  algorithm  A'  can 
see  the  queries  that  A makes  to  the  random  oracle  H.  It  is  this  property  that 
enables  A'  to  correctly  solve  the  given  RSA  instance  whenever  A makes  the 
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“fight”  query  (i.e.,  whenever  event  Query  occurs).  Note  that  the  proof  also 
uses  the  fact  that  the  reduction  can  implicitly  set  H(f)  = k without  even 
knowing  f . Thus  it  also  uses  the  “programmability”  feature  of  random  oracle 
proofs. 

13.2.2  Security  Against  Chosen- Ciphertext  Attacks 

We  have  not  yet  seen  any  examples  of  public-key  encryption  schemes  se- 
cure against  chosen- ciphertext  attacks.  Although  such  schemes  exist,  they  are 
somewhat  complex.  Moreover,  no  practical  schemes  are  known  that  can  be 
based  on  the  RSA  or  factoring  assumptions  (in  contrast  to  the  DDH  assump- 
tion for  which  such  schemes  do  exist).  Once  again,  the  situation  becomes 
much  simpler  in  the  random  oracle  model,  and  we  show  a construction  based 
on  the  RSA  assumption  here. 

Let  GenRSA  be  as  in  the  previous  section,  and  let  II'  = (Gen',  Enc',  Dec')  be 
a private-key  encryption  scheme  for  messages  of  length  £.{n).  Consider  the  fol- 
lowing public-key  encryption  scheme,  described  formally  in  Construction  13.5. 
The  public  and  private  keys,  as  usual,  are  (A,  e)  and  (A,  d) , respectively.  To 
encrypt  a message  rh  € {0, the  sender  chooses  a random  r ■«—  and 
sends  the  ciphertext 


mod  A],  Enc'^(^)(m)^  , 

where  A is  a function,  modeled  as  a random  oracle,  mapping  elements  of 
to  strings  of  length  n. 


CONSTRUCTION  13.5 

Let  GenRSA  be  as  in  the  previous  section,  let  II'  = (Gen',  Enc',  Dec')  be 
a private-key  encryption  scheme  for  messages  of  length  £{n),  and  let  H 
be  a function  whose  domain  can  be  set  to  for  any  A,  and  whose 
range  can  be  set  to  {0, 1}”  for  any  n.  Construct  a public-key  encryption 
scheme  as  follows: 

• Gen:  on  input  1”,.  run  GenRSA(l”)  to  compute  {N,e,d).  The 
public  key  is  (A,  e)  and  the  private  key  is  (A,  d). 

• Enc:  on  input  a public  key  (A,  e)  and  a message  m G {0, 
choose  a random  r -e—  Z)^  and  compute  k :=  H{r).  Output  the 
ciphertext 

([r®  mod  A],  Enc^  (m)). 

• Dec:  on  input  a private  key  (A,  d)  and  a ciphertext  (ci,C2),  com- 
pute r :=  [ci  mod  A]  and  set  k :=  H{r).  Then  output  Decfc(c2). 
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Construction  13.1  can  be  viewed  as  a special  case  of  the  above,  using  the 
one-time  pad  as  the  private-key  encryption  scheme  (Gen',  Enc',  Dec').  In  fact, 
it  is  possible  to  generalize  Theorem  13.2,  and  prove  that  Construction  13.5 
yields  a CPA-secure  public-key  encryption  scheme  whenever  II'  has  indistin- 
guishable encryptions  in  the  presence  of  an  eavesdropper  (see  Exercise  13.4). 
Here,  we  are  interested  in  showing  that  the  construction  gives  a CCA-secure 
public-key  encryption  scheme  whenever  H'  itself  is  CCA-secure.  As  shown  in 
Section  4.8,  efficient  private-key  encryption  schemes  satisfying  this  notion  of 
security  can  be  constructed  relatively  easily. 

The  intuition  for  the  proof  of  CCA-security,  when  H is  modeled  as  a ran- 
dom oracle,  is  roughly  as  in  the  previous  section.  Letting  r be  the  value  used 
to  encrypt  the  challenge  ciphertext  presented  to  the  adversary,  we  will  again 
distinguish  between  the  case  that  the  adversary  does  not  query  r to  the  ran- 
dom oracle  H and  the  case  that  it  does.  In  the  first  case,  the  adversary  learns 
nothing  about  the  key  k = H{r)  and  so  we  can  reduce  the  security  of  the  con- 
struction to  the  security  of  the  private-key  encryption  scheme  H'.  We  then 
argue  that  the  second  case  occurs  with  only  negligible  probability  if  the  RSA 
problem  is  hard  relative  to  Gen  RSA.  The  proof  of  this  is  now  significantly 
more  complex  than  in  the  previous  section  because  we  must  now  show  how 
it  is  possible  to  simulate  decryption  oracle  queries  of  the  adversary  without 
knowing  the  private  key.  We  show  how  it  is  possible  for  the  reduction  to  do 
this  by  “programming”  the  random  oracle  in  an  appropriate  way. 

THEOREM  13.6  If  the  RSA  problem  is  hard  relative  to  Gen  RSA,  the 
private-key  encryption  scheme  II'  has  indistinguishable  encryptions  under  a 
chosen-ciphertext  attack,  and  H is  modeled  as  a random  oracle,  then  Con- 
struction 13.5  is  a public-key  encryption  scheme  having  indistinguishable  en- 
cryptions under  a chosen- ciphertext  attack. 

PROOF  Let  n denote  Construction  13.5,  and  let  be  a probabilistic 
polynomial-time  adversary.  Define 

£{n)  = Pr[PubK^fn(^)  = !]• 

For  convenience,  we  describe  the  steps  of  experiment  PubK^^n(n): 

1.  A random  function  H is  chosen. 

2.  GenRSA(l")  is  run  to  obtain  {N,e,d).  A is  given  pk  = 

(N,e),  and  may  query  both  H{-)  and  the  decryption  oracle 
Dec(jv^d)(-). 

3.  Eventually  A outputs  two  messages  mo,  mi  € {0,1}^^'^^.  A 
random  b ■«—  {0, 1}  and  r -f—  are  chosen,  and  A is  given 

the  challenge  ciphertext  mod  A^],  Enc^(^)(m5)y 
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4.  Adversary  A may  continue  to  query  H{-)  and  the  decryption 
oracle,  though  it  may  not  query  the  latter  on  the  challenge 
ciphertext  it  was  given. 

5.  A then  outputs  a hit  h' . The  output  of  the  experiment  is  ■ 
defined  to  be  1 if  b'  = b,  and  0 otherwise. 

In  an  execution  of  experiment  PubK^^n(n),  let  Query  denote  the  event  that, 
at  any  point  during  its  execution,  A queries  r to  the  random  oracle  H.  We 
also  use  Success  as  shorthand  for  the  event  that  6'  = h.  Then 

Pr[Success]  = Pr  [Success  A Query]  + Pr[Success  A Query] 

< Pr  [Success  A Query]  + Pr[Query], 

where  all  probabilities  are  taken  over  the  randomness  used  in  experiment 
PubK^^n(n).  We  show  that  there  exists  a negligible  function  negl  such  that 

Pr  [Success  A Query]  < ^ + negl(n), 
and  that  Pr[Query]  is  negligible.  The  theorem  follows. 


CLAIM  13.7  If  the  private-key  encryption  scheme  II'  has  indistinguishable 
encryptions  under  a chosen- ciphertext  attack  and  H is  modeled  as  a random 
oracle,,  then  there  exists  a negligible  function  negl  such  that 

Pr  [Success  A Query  ] < ^ + negl(n). 

The  proof  now  is  much  more  involved  than  the  proof  of  the  corresponding 
claim  in  the  previous  section.  This  is  in  part  because,  as  discussed  in  the 
intuition  preceding  this  theorem.  Construction  13.1  uses  the  perfectly-secret 
one-time  pad  as  its  “private-key  component”,  whereas  Construction  13.5  uses 
a computationally-secure  private-key  encryption  scheme  II'. 

Consider  the  following  adversary  A'  carrying  out  a chosen- ciphertext  attack 
on  n'  (cf.  Definition  3.30): 

Adversary  A'{1'^) 

A'  has  access  to  a decryption  oracle  Dec^(-)  for  some  (unknown) 
secret  key  k. 

1.  Run  GenRSA(l'^)  to  compute  (N,e,d).  Choose  r and 

set  Cl  :=  [r®  mod  N]. 

/*  A'  is  implicitly  setting  H{r)  = k */ 

2.  Run  A on  input  pk  :=  {N,  e).  Pairs  of  strings  (•,  •)  are  stored 
in  a table,  initially  empty.  When  A makes  a query  (ci,  C2)  to 
its  decryption  oracle.  A'  answers  it  as  follows: 


476 


• If  Cl  = Cl,  query  C2  to  the  decryption  oracle  and  return 
the  result  to  A. 

• If  Cl  7^  Cl,  compute  r :=  [cf  mod  A^].  Then  compute 
k :=  H{r)  using  the  procedure  discussed  below.  Return 
the  result  Dec^(c2)  to  A. 

When  the  value  H{r)  is  needed,  either  in  response  to  a query 
by  A to  the  random  oracle,  or  in  the  course  of  answering  a 
query  by  A to  its  decryption  oracle,  compute  H{r)  as  follows: 

• If  there  is  an  entry  (r,  k)  in  the  table,  return  k. 

• Otherwise,  choose  a random  k {0, 1}”,  return  it,  and 
store  (r,  k)  in  the  table. 

3.  At  some  point,  A outputs  mo,  mi  € {0, Output  these 
same  messages,  and  receive  in  return  a challenge  ciphertext 
C2.  Give  the  challenge  ciphertext  (ci,C2)  to  A,  and  continue 
to  answer  the  oracle  queries  of  ^ as  before. 

4.  When  A outputs  its  guess  6',  this  value  is  output  by  A' . 

It  is  immediate  that  A!  runs  in  polynomial  time.  Furthermore,  A'  never 
submits  its  challenge  ciphertext  C2  to  its  own  decryption  oracle  after  step  3;  the 
only  way  this  could  happen  would  be  if  A submitted  its  challenge  ciphertext 
(ci,  C2)  to  its  own  decryption  oracle,  but  this  is  not  allowed. 

Let  Pr'[  ] refer  to  the  probability  of  an  event  in  experiment  PrivK^f  n,(n), 
and  let  Pr[  ] refer,  as  before,  to  the  probability  of  an  event  in  experiment 
PubK^^n(n).  Define  Success  and  Query  as  above;  that  is.  Success  is  the  event 
that  h'  = b,  and  Query  is  the  event  that  A queries  r to.  the  random  oracle. 
The  key  observation  is  that  the  view  of  A when  run  as  a subroutine  by  A' 
(in  experiment  PrivK^f  n/(n))  is  distributed  identically  to  the  view  of  A in 
experiment  PubK^^jj(n)  until  event  Query  occurs.  This  can  be  seen  as  follows: 

• In  each  case,  the  public  key  given  to  A is  clearly  distributed  identically. 

• All  random  oracle  queries  of  A are  answered  with  a random  string  in 
experiment  PrivK^f  n/(n),  exactly  as  would  be  the  case  in  experiment 

PubK^ifn(n). 

• In  experiment  PrivK^?n/(n),  decryption  queries  by  A of  the  form  (ci,  C2) 
with  Cl  A Cl  are  answered  exactly  as  in  experiment  PubK^ji(n). 

• As  long  as  Query  has  not  occurred,  decryption  queries  by  A of  the 
form  (ci,C2)  are  answered  identically  in  experiments  PrivK^f  n/ (n)  and 
PubK^ji(n).  This  can  be  seen  by  implicitly  assigning  H{f)  the  value 

k,  which  is  a randomly- chosen  value.  (On  the  other  hand,  if  A queries 
H{f)  — i.e.,  if  Query  occurs  — then  A!  returns  a random  value  k to  A 
in  response  to  this  query,  and  k will  likely  not  be  equal  to  ky.) 
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Again,  however,  the  important  point  is  that  if  Query  does  not  occur  then 
the  view  of  ^ is  identical  in  both  experiments;  furthermore,  Pr' [Query]  = 
Pr[Query]  (this  follows  from  the  fact  that  the  experiments  are  identical  until 
Query  occurs)  and  thus  Pr'[Query]  = Pr[ Query].  So 

Pp [Success]  > Pr' [Success  A Query]  = Pp [Success  | Query]  • Pp[ Query] 

= Pr[Success  I Query]  • Pr[ Query] 

= Pr[Success  A Query], 

(The  above  assumes  Pr  [ Q uery  ] 0 , but  if  this  is  not  the  case  then  we  trivially 

have  PP[Success  A Query]  = 0 = Pr[Success  A Query].)  Because  II'  is  CCA- 
secure,  there  exists  a negligible  function  negl  such  that 

Pr'[Success]  < ^ + negl(n). 


and  thus 

Pr  [Success  A Query]  < Pp  [Success]  < x + riegl(n), 
completing  the  proof  of  the  claim. 

CLAIM  13.8  If  the  RSA  problem  is  hard  relative  to  GenRSA  and  H is 
modeled  as  a random  oracle,  then  Pr[Query]  is  negligible. 

Intuitively,  Pr  [Query]  is  negligible  for  the  same  reason  as  in  the  proof  of  The- 
orem 13.2.  Specifically,  if  an  adversary  queries  r to  H,  where  the  challenge 
ciphertext  is  ([r®  mod  A^],  Enc]^(^)(m6)),  then  the  adversary  has  computed  r 
.from  [f®  mod  N]  for  a randomly  ^chosen  value  f e -Z^.-For-  a formal  proof j 
however,  we  need  to  construct  a reduction  algorithm  that  uses  such  an  ad- 
versary to  solve  the  RSA  problem,  and  difliculties  arise  due  to  the  fact  that 
the  reduction  algorithm  must  be  able  to  answer  the  decryption  oracle  queries 
of  A without  knowledge  of  the  private  (decryption)  key.  Fortunately,  the  ran- 
dom oracle  model  enables  a solution;  to  decrypt  a ciphertext  (ci,C2)  (where 
no  prior  decryption  query  was  made  using  the  same  initial  component  ci), 
the  reduction  algorithm  generates  a random  key  k and  returns  the  message 

DeCfc(c2);  it  then  implicitly  sets  H{r)  = k,  where  r mod  N].  Note 

that  r may  be  unknown  at  this  time,  and  the  reduction  algorithm  cannot 
compute  it,  in  general,  without  the  factorization  of  N.  Thus,  the  reduction 
must  ensure  consistency  with  both  prior  and  later  queries  of  A to  the  random 
oracle  (in  case  r is  ever  queried  to  the  random  oracle  in  the  future).  This  is 
relatively  simple  to  do: 

• When  decrypting  a ciphertext  (ci,  C2),  the  reduction  first  checks  for  any 
prior  random  oracle  query  H{r)  such  that  Ci  = r®  mod  N]  if  found,  then 
the  previously-returned  value  of  H(r)  is  used  to  decrypt  C2- 
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• When  answering  a random  oracle  query  H{r),  the  reduction  computes 
Cl  :=  [r®  mod  N]  and  checks  whether  any  previous  decryption  query 
used  Cl  as  the  first  component  of  the  ciphertext.  If  so,  then  the  value  k 
previously  used  to  answer  the  decryption  query  is  now  returned  as  the 
value  of  H{r). 

A simple  data  structure  handles  both  cases:  the  reduction  will  maintain  a 
table  storing  all  the  random  oracle  queries  and  answers  as  in  the  proof  of 
Theorem  13.2  (and  as  in  the  proof  of  the  previous  claim),  except  that  now  the 
table  will  contain  triples  rather  than  pairs.  Two  types  of  entries  will  appear 
in  the  table: 

• The  first  type  of  entry  has  the  form  (r,  Ci , k)  with  ci  = [r®  mod  N],  This 
entry  means  that  the  reduction  has  defined  H (r)  = k. 

• The  second  type  of  entry  has  the  form  (^,01,  k),  which  means  that  the 

value  r mod  N]  is  not  yet  known.  (Again,  the  reduction  is  not 

able  to  compute  this  value  without  the  factorization  of  N.)  An  entry  of 
this  sort  indicates  that  the  reduction  is  implicitly  setting  H{r)  = k;  so, 
when  answering  a decryption  oracle  query  (ci,C2)  by  A,  it  will  return 
the  message  Dec^(c2).  If  A ever  asks  the  random  oracle  query  H(r) 
then  the  reduction  algorithm  will  return  the  correct  answer  k because  it  . 
will  check  the  table  for  any  entry  having  Ci  = [r®  mod  N]  as  its  second 
component. 

We  implement  the  above  ideas  as  the  following  reduction  algorithm  A!\ 

Algorithm  A!'. 

The  algorithm  is  given  {N ^ e,  ci)  as  input. 

1.  Choose  random  k •«—  {0,1}”^.  Triples  (•,•,•)  are  stored  in  a 
table  that  initially  contains  only  the  tuple  (★,Ci,fc). 

/*  Letting  r mod  N]  (which  is  the  answer  A'  is  look- 

ing for),  A'  is  irtipiicitly  setting  H{f)  = k */ 

2.  Run  A on  input  pk  :=  (N,  e).  When  A makes  a query  (ci , C2) 
to  the  decryption  ora.de,  answer  it  as  follows: 

• If  there  is  an  entry  in  the  table  whose  second  component 
is  Cl  (i.e.,  the  entry  is  either  of  the  form  {r,  Ci , k)  with 
r®  = Cl  mod  N,  or  of  the  form  (vr,  ci,/c)),  let  k be  the 
third  component  of  this  entry.  Return  Dec^(c2). 

• Otherwise,  choose  a random  k <—  {0, 1}”^,  return  Dec^(c2), 
and  store  (k,ci,k)  in  the  table. 

When  A makes  a query  r to  the  random  oracle,  compute 
Cl  :=  [r®  mod  N]  and  answer  the  query  as  follows: 
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• If  there  is  an  entry  of  the  form  {r,C\,k)  in  the  table, 
return  k. 

• If  there  is  an  entry  of  the  form  {-k,C\,k)  in  the  table, 
return  k and  store  (r,  ci,  k)  in  the  table. 

• Otherwise,  choose  a random  k {0, 1}”,  return  /c,  and 
store  (r,  C\ , k)  iii  the  table. 

3.  At  some  point,  A outputs  messages  mo,  mi  € {0,1}^^”^. 
Choose  a random  bit  6 ■<—  {0,1}  and  set  C2  Enc^(mb). 

Give  to  A the  ciphertext  {01,02),  and  continue  to  answer  the 
oracle  queries  of  A as  before. 

4.  At  the  end  of  .4’s  execution,  if  there  is  an  entry  iu  the  table 
of  the  form  (r,ci,  k)  then  output  r. 

Algorithm  A'  exactly  carries  out  the  strategy  outlined  earlier,  with  the 
only  addition  being  that  a random  key  k is  chosen  at  the  beginning  of  the 
experiment  and  A'  implicitly  sets  mod  N])  = k. 

It  is  immediate  that  A'  runs  in  polynomial  time.  Say  the  input  to  A! 
is  generated  by  running  GenRSA(l”)  to  obtain  {N,  e,  d)  and  then  choosing 
Cl  ^ at  random  from  Z^  (see  Definition  7.46).  Then  the  view  of  A 
when  run  as  a subroutine  by  .4'  is  distributed  identically  to  the  view  of  A 
in  experiment  PubK^^n(n).  (it  may  take  some  effort  to  convince  yourself 
of  this,  but  it  follows  easily  given  the  observation  that  there  are  never  any 
inconsistencies  in  the  oracle  answers  provided  by  A' .)  Thus,  the  probability 
of  event  Query  remains  unchanged  in  the  two  experiments.  Furthermore,  A' 
correctly  solves  the  given  RSA  instance  whenever  Query  occurs.  That  is, 

Pr[RSA-inv^/,GenRSA(n)  = 1]  = Pr[Query]. 

Since  the  RSA  problem  is  hard  relative  to  Gen  RS  A,  it  must  be  the  case  that 
Pr[Query]  is  negligible.  This  concludes  the  proof  of  the  claim,  and  hence  the 
proof  of  the  theorem.  I 


13.2.3  OAEP 

The  public-key  encryption  scheme  given  in  Section  13.2.2  offers  a fairly 
efficient  way  to  achieve  security  against  chosen-ciphertext  attacks  based  on  the 
RSA  assumption,  in  the  random  oracle  model.  (Moreover,  as  we  noted  earlier, 
the  general  paradigm  shown  there  can  be  instantiated  using  any  trapdoor 
permutation  and  so  can  be  used  to  construct  a scheme  with  similar  security 
based  on  the  hardness  of  factoring.)  For  certain  applications,  though,  even 
more  efficient  schemes  are  desirable.  The  main  drawback  of  the  previous 
scheme  is  that  ciphertexts  are  longer  than  a single  element  of  Z)^,  even  when 
short  messages  are  encrypted. 
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The  optimal  asymmetric  encryption  padding  (OAEP)  technique  eliminates 
this  drawback,  and  results  in  ciphertexts  that  consist  of  only  a single  element 
of  when  short  messages  are  encrypted.  (To  encrypt  longer  messages,  hy- 
brid encryption  would  be  used  as  discussed  in  Section  10.3.)  Technically, 
OAEP  is  a padding  method  and  not  an  encryption  scheme,  though  encryp- 
tion schemes  that  use  this  padding  are  often  simply  called  OAEP  themselves. 
We  denote  by  RSA-OAEP  the  combination  of  OAEP  padding  with  textbook 
RSA  encryption  (this  will  become  clear  from  the  discussion  below  and  Con- 
struction 13.9). 

OAEP  is  a reversible,  randomized  method  for  encoding  a plaintext  mes- 
sage m of  length  n/2  as  a string  m of  length  2n.  (This  matches  Construc- 
tion 13.9,  but  can  be  generalized  for  other  message/encoding  lengths.)  If 
we  let  OAEP(m,  r)  denote  the  encoding  of  a message  m using  randomness  r, 
then  encryption  using  RSA-OAEP  of  a message  m € {0,1}’^/^  with  respect 
to  the  public  key  {N,  e)  is  carried  out  by  choosing  a random  r ^ {0,  l}”^  and 
computing  the  ciphertext 

[OAEP(m,  rY  mod  N] . 

(We  assume  ||A^||  > 2n.)  To  decrypt  a ciphertext  c,  the  receiver  computes 
m :=  [c'^  mod  N]  and  then  tries  to  compute  (m,  r)  :=  OAEP“'^(m).  If  no  such 
inverse  exists,  then  the  receiver  knows  the  ciphertext  is  invalid  (and  outputs 
a special  error  symbol  J_).  Otherwise,  a unique  inverse  (m,  r)  exists  and  the 
receiver  outputs  the  message  m.  The  details,  which  include  a specification  of 
the  encoding  OAEP,  are  given  in  Construction  13.9. 

The  above  is  actually  somewhat  of  a simplification,  in  that  certain  details 
are  omitted  and  other  choices  of  the  parameters  are  possible.  The  reader 
interested  in  implementing  RSA-OAEP  is  referred  to  the  references  given  in 
the  notes  at  the  end  of  this  chapter. 

RSA-OAEP  uses  two  functions  G and  H that  are  modeled  as  independent 
random  oracles  in  the  analysis.  Though  the  existence  of  more  than  one  random 
oracle  was  not  discussed  when  we  introduced  the  random  oracle  model  in 
Section  13.1.1,  this  is  interpreted  in  the  natural  way.  In  fact  it  is  quite  easy  to 
use  a single  random  oracle  H to  implement  two  independent  random  oracles 
by  setting  G(a;)  .^(Oa;)  and (a;)  =^.^(la;). 

Using  only  the  fact  that  the  encoding  function  OAEP  is  a one-tq-one  func- 
tion mapping  3n/2  bits  (i.e.,  an  n/2-bit  message  and  an  n-bit  random  string) 
to  2n  bits,  we  see  that  the  probability  of  a random  element  of  Z)(^  being  in  the 
image  of  OAEP  is  which  is  negligible.  In  fact,  the  encoding  function 

OAEP  is  designed  so  that,  intuitively,  the  only  way  to  find  an  element  in  the 
image  of  OAEP  is  to  choose  m and  r and  then  explicitly  compute  OAEP(m,  r). 
Turning  this  intuition  into  a formal  proof  of  security  for  the  above  construc- 
tion is  beyond  the  scope  of  this  book.  We  only  mention  that  if  the  RSA 
problem  is  hard  relative  to  Gen  RSA,  and  G and  H are  modeled  as  indepen- 
dent random  oracles,  then  RSA-OAEP  can  be  proven  to  be  CCA-secure  for 
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CONSTRUCTION  13.9 

Let  GenRSA  be  as  in  the  previous  sections,  and  let  G : {0, 1}”  ^ {0, 1}” 
and  H : {0, 1}”  ^ {0, 1}”  be  functions.  Construct  a public-key  encryp- 
tion scheme  as  follows: 

• Gen:  on  input  1”,  run  GenRSA(l”“'"^)  to  obtain  (N,e,d)  with 
||A^||  > 2n.^  The  public  key  is  {N,  e)  and  the  private  key  is  {N,  d). 

• Enc:  on  input  a public  key  {N,  e)  and  a message  m G {0, 
first  choose  a random  r {0, 1}”.  Then,  set  m'  := 
compute  mi  :=  G{r)  © m' , and  define 

m :=  mi  ||  (r  © H{m\)) . 

Interpret  m as  an  element  of  in  the  natural  way  and  output 
the  ciphertext  c :=  [m®  mod  N]. 

• Dec:  on  input  a private  key  {N,  d)  and  a ciphertext  c,  first  compute 
m :=  [c^  mod  N]  and  parse  m as  mi||m2  with  |mi|  = |m.2|  = n. 
Next  compute  r :=  H{m\)  © m2,  followed  by  m'  :=  mi  © G(r).  If 
the  final  n/2  bits  of  m'  are  not  0”^^,  output  T.  Otherwise,  output 
the  first  n/2  bits  of  m' . 

The  RSA-OAEP  encryption  scheme. 


certain  types  of  public  exponents  e (including  the  common  case  when  e = 3). 
Variants  of  OAEP  suitable  for  use  with  arbitrary  public  RSA  exponents  or, 
more  generally,  with  other  trapdoor  permutations,  are  also  known;  see  the 
references  at  the  end  of  this  chapter. 


13.3  Signatures  in  the  Random  Oracle  Model 

Having  completed  otir  discussion  of  public-key  encryption  in  the  random 
oracle  model,  we  now  turn  our  attention  to  a construction  of  the  fall-domain 
hash  (FDH)  signature  scheme.  Though  this,  too,  may  be  instantiated  with 
any  trapdoor  permutation,  we  once  again  describe  a scheme,  called  RSA-FDH, 
which  is  based  on  RSA. 

We  have  actually  seen  the  RSA-FDH  scheme  previously  in  Section  12.3.2, 
where  it  was  called  hashed  RSA.  Hashed  RSA  was  obtained  by  applying  the 
textbook  RSA  signature  scheme  to  a hash  of  the  message,  rather  than  the 
message  itself.  To  review:  in  the  textbook  RSA  signature  scheme,  a mes- 
sage m € was  signed  by  computing  a :=  [m^  mod  N].  Textbook  RSA 


■^This  explains  our  unusual  choice  to  run  GenRSA  with  input  rather  than  input  1^. 
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CONSTRUCTION  13.10 

Let  GenRSA  be  as  in  the  previous  sections,  and  let  H he  a,  function  with 
domain  {0, 1}*  and  whose  range  can  be  set  to  for  any  N.  Construct 
a signature  scheme  as  follows: 

• Gen:  on  input  1”,  run  GenRSA(l”)  to  compute  (N^e,d)  and  set 
the  range  of  H to  be  The  public  key  is  {N^  e)  and  the  private 
key  is  {N,d). 

• Sign:  on  input  a private  key  (N,d)  and  a message  m G {0, 1}*, 
compute 

o-  :=  mod  iV], 

• Vrfy:  on  input  a public  key  {N^  e),  a message  m,  and  a signature 

7 

cr,  output  1 if  and  only  if  = H(m)  mod  N. 

The  RSA-FDH  signature  scheme. 

is  completely  insecure,  and  in  particular  was  shown  in  Section  12.3.1  to  be 
vulnerable  to  the  following  attacks: 

• An  adversary  can  choose  an  arbitrary  cr,  compute  m :=  [cr®  mod  N], 
and  output  (m,  cr)  as  a forgery. 

• Given  (legitimately-generated)  signatures  ai  and  <72  on  messages  mi 
and  m2,  respectively,  an  adversary  can  compute  a valid  signature  cr  := 
[cTi  • ct2  mod  on  the  message  m :=  [mi  • m2  mod  N], 

In  RSA-FDH  (i.e.,  hashed  RSA),  the  signer  hashes  m before  signing  it;  that 
is,  a signature  on  a message  m is  computed  as  cr  :=  mod  N];  see  Con- 

struction 13.10.  In  Section  12.3.2  we  argued  informally  why  this  modification 
prevents  the  above  attacks  when  H is  a cryptographic  hash  function;  we  can 
now  see  why  the  attacks  do  not  apply  if  H is  modeled  as  a random  oracle. 

• When  H is  a random  oracle,  then  for  any  given  cr  it  will  be  hard  to  find  an 
m such  that  H{m)  = [cr®  mod  N].  (See  the  discussion  in  Section  13.1.1 
regarding  why  a random  oracle  acts  like  a one-way  function.) 

• If  cTi  and  c72  are  signatures  on  messages  mi  and  m2,  respectively,  this 
means  that  H(mi)  = af  mod  N and  H{m-2)  = mod  N.  It  is  not 
likely,  however,  that  a = [a\  • 02  mod  A]  is  a valid  signature  on  the 
message  m = [mi  • m2  mod  A]  since  there  is  no  reason  to  believe  that 
H{m\  • m2)  = H{m\)  • H {m2)  mod  A.  (Indeed  if  A is  a random  oracle, 
the  latter  will  happen  with  only  negligible  probability.) 

We  stress  that  the  above  merely  serves  as  intuition,  while  in  fact  RSA-FDH 
is  provably  resistent  to  the  above  attacks  as  a consequence  of  Theorem  13.11 
that  we  will  prove  below.  We  stress  also  that  the  above  informal  arguments 
can  only  be  proven  when  H is  modeled  as  a random  oracle;  we  do  not  know 
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how  to  prove  anything  like  the  above  if  H is  “only”  collision-resistant,  for 
example. 

We  prove  below  that  if  the  RSA  problem  is  hard  relative  to  GenRSA,  then 
RSA-FDH  is  existentially  unforgeable  under  an  adaptive  chosen-message  at- 
tack, in  the  random  oracle  model.  Toward  intuition  for  this  result,  first  con- 
sider the  case  of  existential  unforgeability  under  a no-message  attack',  i.e., 
when  the  adversary  cannot  request  any  signatures.  Here  the  adversary  is  lim- 
ited to  making  queries  to  the  random  oracle,  and  we  can  assume  without  loss 
of  generality  that  if  the  adversary  outputs  a purported  forgery  (m,  a)  then 
the  adversary  had  at  some  point  previously  queried  H{m).  Letting  y\, . . . ,yq 
denote  the  answers  that  the  adversary  received  in  response  to  its  q queries  to 
the  random  oracle,  we  see  that  each  pi  is  completely  random;  furthermore, 
forging  a valid  signature  on  some  message  requires  computing  an  eth  root  of 
one  of  these  values.  It  is  thus  not  hard  to  see  that,  under  the  RSA  assumption, 
the  adversary  outputs  a valid  forgery  with  only  negligible  probability  (since 
computing  eth  roots  of  random  elements  is  exactly  the  RSA  problem) . 

More  formally,  starting  with  an  adversary  A forging  a valid  signature  in  a 
no-message  attack  we  construct  an  algorithm  A'  solving  the  RSA  problem. 
Given  input  {N,  e,y),  algorithm  A'  first  runsv^  on  the  public  key  pk  = {N,  e). 
It  answers  the  random  oracle  queries  of  A with  random  elements  of  7j*^  except 
for  a single  query,  chosen  at  random  from  among  the  q oracle  queries  of  A, 
that  is  answered  with  y.  Say  A outputs  {m,a)  with  a®  = H{m)  mod  N (i.e., 
A outputs  a forgery).  If  the  input  to  A!  was  generated  by  choosing  y at 
random  from  then  the  view  of  A when  run  as  a subroutine  by  A'  is 
identically  distributed  to  the  view  of  A when  attacking  the  original  signature 
scheme.  Furthermore,  A has  no  information  regarding  which  oracle  query  was 
answered  with  y.  So  with  probability . 1/g  it  .will  be.  the  case  that  the  query 
H{m)  was  the  one  that  was  answered  with  y,  in  which  case  A'  solves  the 
given  instance  of  the  RSA  problem  by  outputting  cr  = mod  N.  We  see 
that  if  A succeeds  with  probability  e,  then  A!  solves  the  RSA  problem  with 
probability  e/q.  Since  q is  polynomial,  we  conclude  that  e must  be  negligible 
if  the  RSA  assumption  holds. 

Handling  the  case  when  the  adversary  is  allowed  to  request  signatures  on 
messages  of  its  choice  is  more  difficult.  The  complication  arises  since  our 
reduction  A'  above  does  not,  of  course,  know  the  decryption  exponent  d, 
yet  now  has  to  compute  valid  signatures  on  messages  submitted  by  A to  its 
signing  oracle.  This  seems  impossible  (and  possibly  even  contradictory!)  until 
we  realize  that  A!  can  correctly  compute  a signature  on  a message  m as  long 
as  it  sets  H (m)  equal  to  [a®  mod  A^]  for  a known  value  a.  If  cr  is  chosen 
uniformly  at  random  then  [a®  mod  N]  is  uniformly  distributed  as  well,  and  so 
the  random  oracle  is  still  emulated  “properly”  by  Ai  . Here  we  are  using,  in 
an  essential  way,  the  fact  that  the  random  oracle  is  “programmable” . 

The  above  intuition  forms  the  basis  for  the  proof  of  the  following: 
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THEOREM  13.11  If  the  RSA  problem  is  hard  relative  to  GenRSA  and 
H is  modeled  as  a random  oracle,  then  Construction  13.10  is  existentially 
unforgeable  under  an  adaptive  chosen-message  attack. 

PROOF  Let  n = (Gen,  Sign,  Vrfy)  denote  Construction  13.10,  and  let  A 
be  a probabilistic  polynomial-time  adversary.  Define 

£{n)  Pr[Sig-forge^  n(^)  = !]• 

For  convenience,  we  describe  the  steps  of  experiment  Sig-forge^  n(^)‘ 

1.  A random  function  H is  chosen. 

2.  GenRSA(l”)  is  run  to  obtain  {N,e,d). 

3.  The  adversary  A is  given  pk  = (N,  e),  and  may  query  H{-) 
and  the  signing  oracle  Sign^^^^^^(-).  {When  A requests  a sig- 
nature on  a message  m,  it  is  given  a :=  [H{m]^  mod  A^]  in 
return.) 

4.  Eventually,  A outputs  a pair  (m,cr)  puhere  A had  not  previ- 
ously requested  a signature  on  m.  The  output  of  the  experi- 
ment is  1 if  = H{rn)  mod  N,  and  0 otherwise. 

Since  we  have  already  discussed  the  intuition  above,  we  jump  right  into  the 
formal  proof.  To  simplify  matters,  we  assume  without  loss  of  generality  that: 
(1)  A never  makes  the  same  random  oracle  query  twice;  (2)  if  A requests  a 
signature  on  a message  m,  then  it  had  previously  queried  H(m);  and  (3)  if 
A outputs  (m,  cr)  then  it  had  previously  queried  H(m). 

Let  q = q{‘n)  be  a (polynomial)  upper-bound  on  the  number  of  random 
oracle  queries  made  by  A.  Consider  the  following  algorithm  A': 

Algorithm  A!\  ■ ^ 

The  algorithm  is  given  {N,  e,  ?/*)  as  input. 

1.  Choose  f •(—  {1, . . . , g'}. 

2.  Given  A the  public  key  pfc  = (N,e).  Store  triples  (•,  •,  •)  in  a 
table,  initially  empty.  An  entry  {mi,ai,yi)  indicates  that\4' 
has  set  H{mi)  = yi,  and  af  = yi  mod  N. 

3.  When  A makes  its  ith  random  oracle  query  H(mi),  answer 
it  as  follows: 

• If  i = j,  return  y*. 

• Otherwise,  choose  a random  value  ai  compute 

yi  ;=  \af  mod  A],  return  yi  as  the  answer  to  the  query, 
and  store  (mj,  Gi,yi)  in  the  table.  , 
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When  A requests  a signature  on  message  m,  let  i be  such 
that  m = mi  and  answer  the  query  as  follows:® 

• \i  i ^ j then  there  is  an  entry  {mi,ai,yi)  in  the  table. 

Return  (Tj. 

• li  i = j then  abort  the  experiment. 

4.  At  the  end  of  .A’s  execution,  it  outputs  (m,  cr).  If  m = mj 
and  a®  = y*  mod  N,  then  output  cr. 

It  is  immediate  that  A'  runs  in  probabilistic  polynomial  time.  Say  the 
input  to  A'  is  generated  by  running  GenRSA(l")  to  obtain  {N,  e,  d),  and  then 
choosing  y*  ^ uniformly  at  random.  The  index  j chosen  by  A'  in  the  first 
step  represents  a guess  as  to  which  oracle  query  of  A will  correspond  to  the 
eventual  forgery  output  by  A.  When  this  guess  is  correct,  the  view  of  A when 
run  as  a subroutine  by  A'  in  experiment  RSA- in v^/  CenRS a (n)  is  distributed 
identically  to  the  view  of  A in  experiment  Sig-forge^  n(n).  This  is,  in  part, 
because  each  of  the  q random  oracle  queries  of  A when  run  as  a subroutine 
by  A'  is  indeed  answered  with  a random  value: 

• The  query  H{mj)  is  answered  with  y*,  which  a value  that  was  chosen 
uniformly  at  random  from 

• Queries  H{mi)  with  i ^ j is  answered  with  yi  = [cr?  mod  N],  where  cr^ 
is  chosen  uniformly  at  random  from  Z]^.  Since  RSA  is  a permutation, 
this  means  that  yi  is  uniformly  distributed  in  Z]^  as  well. 

Moreover,  j is  independent  of  the  view  of  A,  unless  A happens  to  request  a 
signature  on  mj . But  in  this  case  the  guess  of  A^  was  wrong  (since,  A cannot 
output  a forgery  on  mj  once  it  requests  a signature  on  ruj  ). 

When  A guesses  correctly  and  A outputs  a forgery,  then  A!  solves  the 
given  instance  of  the  RSA  problem  (because  cr®  = y*  mod  N and  thus  cr  is 
the  inverse  of  y*,  as  required).  Since  A^  guesses  correctly  with  probability  1/g, 
we  have  that 

Pr[RSA-inv^/,GenRSA(n)  = 1]  = e{ri)lq{n). 

Because  the  RSA  problem  is  hard  relative  to  Gen  RSA,  there  exists  a negligible 
function  negl  such  that 

Pr[RSA-inv^/,GenRSA(n)  = 1]  < negl(n). 

Since  q is  polynomial,  we  conclude  that  e{n)  is  negligible  as  well,  completing 
the  proof.  | 


^Here  rrii  denotes  the  ith  query,  made  to  the  random  oracle.  Recall  our  assumption  that  if 
A requests  a signature  on  a message,  then  it  had  previously  queried  the  random  oracle  on 
jthat  message. 
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Exercises 

13.1  Prove  that  the  pseudorandom  function  construction  in  Section  13.1.1  is 
indeed  secure  in  the  random  oracle  model. 

13.2  In  this  exercise  we  show  a scheme  that  can  be  proven  secure  in  the 
random  oracle  model,  but  is  insecure  when  the  random  oracle  is  instan- 
tiated with  SHA-1.  (This  exercise  is  a bit  informal  since  SHA-1  is  only 
defined  for  a.fix^  output  length.  Nevertheless,  it  illustrates  the  main 
idea.)  Let  II  be  a signature  scheme  that  is  secure  in  the  standard  model. 
Construct  a signature  scheme  By  where  signing  is  carried  out  as  follows: 
if  i7(0)  = 2/,  then  output  the  secret  key;  if  H{d)  ^ y,  then  return  a 
signature  computed  using  n. 

(a)  Prove  that  for  any  value  y,  the  scheme  Ily  is  secure  in  the  random 
oracle  model. 

(b)  Show  that  there  exists  a particular  y for  which  Ily  is  not  secure 
when  the  random  oracle  is  instantiated  using  SHA-1. 
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13.3  Consider  a message  authentication  code  II  = (Gen,  Mac,  Vrfy)  where 
Macfc(m)  :=  H{k\\m)  for  a function  H : {0,1}*  ^ {0, 1}”  (note  that 
k ^ {0, 1}”  and  verification  is  carried  out  in  the  natural  way).  Show 
that  if  H is  modeled  as  a random  oracle,  then  II  is  a secure  message 
authentication  code.  Show  that  if  H is  any  concrete  hash  function  that 
is  constructed  via  the  Merkle-Damgard  transform,  then  II  is  not  a secure 
message  authentication  code. 

13.4  Consider  Construction  13.5  instantiated  with  a private-key  encryption 
scheme  II'  that  has  indistinguishable  encryptions  in  the  presence  of  an 
eavesdropper.  Prove  that  if  the  RSA  problem  is  hard  relative  to  GenRSA 
and  H is  modeled  as  a random  oracle,  then  this  gives  a CPA-secure 
public-key  encryption  scheme. 

13.5  Say  a public-key  encryption  scheme  (Gen,  Enc,  Dec)  is  one-way  if  any 
PPT  adversary  A has  negligible  probability  of  success  in  the  following 
experiment: 

• Gen(l")  is  run  to  obtain  keys  (pk,sk). 

• A message  m •«—  {0, 1}”  is  chosen  uniformly  at  random, 
and  a ciphertext  c Encpfc(m)  is  computed. 

• A is  given  pk  and  c,  and  outputs  a message  m' . We  say 
A succeeds  if  m'  = m. 

Show  a construction  of  a CPA-secure  public-key  encryption  scheme 
in  the  random  oracle  model  based  on  any  one-way  public-key  en^ 
cryption  scheme. 

Can. a public-key  encryption  scheme  where  encryption  is  determin- 
istic be  one-way?  If  not,  give  a proof;  if  so,  show  a construction 
based  on  any  of  the  assumptions  introduced  in  this  book. 

13.6  Say  three  users  have  RSA  public  keys  (Ni,3),  (A^2,3),  and  {Ns,  3)  (i.e., 

they  all  use  e = 3)  with  < A^2  < Ns.  Consider  the  following  method 
for  sending  the  same  message  m to  each  of  these  parties:  choose  random 
r ^ , and  send  to  everyone  the  same  ciphertext 

mod  Ni],  [r^  mod  AT2],  [r^  mod  Ns],H{r)  0 m). 

(a)  Show  that  this  is  insecure,  and  an  adversary  can  recover  m even 
when  H is  modeled  as  a random  oracle. 

Hint:  See  Section  10.4.2. 

(b)  Show  a simple  way  to  fix  this  scheme  and  obtain  a CPA-secure 
scheme  with  a ciphertext  of  length  3|m|  + 0{n). 

(c)  Show  a better  approach  that  gives  a ciphertext  of  length  \m\-\-0{n) . 


(a) 

(b) 
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13.7  Let  n = (Gerij  Enc,  Dec)  be  a public-key  encryption  scheme  having  in- 
distinguishable encryptions  under  a chosen-plaintext  attack,  and  let 
n'  = (Gen',  Enc',  Dec')  be  a private-key  encryption  scheme  having  in- 
distinguishable encryptions  under  a chosen- ciphertext  attack.  Consider 
the  following  construction  of  a public-key  encryption  scheme  II*; 


CONSTRUCTION  13.12 

Let  H : {0,1}”^  —*■  {0,1}”'  be  a function.  Construct  a public-key 
encryption  scheme  as  follows: 

• Gen*:  on  input  I”,  run  Gen(l”')  to  obtain  (pk,sk).  Output 
these  as  the  public  and  private  keys,  respectively. 

• Enc* : on  input  a public  key  pk  and  a message  m G {0, 1}” , 
choose  a random  r {0, 1}”  and  output  the  ciphertext 

(Encpfc(r),  Enc'H(r)(”^))- 

• Dec*:  on  input  a private  key  sk  and  a ciphertext  (ci,C2),  com- 
pute r ;=  Decsfc(ci)  and  set  k ;=  H{r).  Then  output  Dec'fc(c2). 


Does  the  above  construction  have  indistinguishable  encryptions  under 
a chosen- ciphertext  attack,  if  H is  modeled  as  a random  oracle?  If 
yes,  provide  a proof.  If  not,  where  does  the  approach  used  to  prove 
Theorem  13.6  break  down? 


Index  of  Common  Notation 

General  notation: 

• If  ^ is  a randomized  algorithm,  then  y A{x)  denotes  running  on 
input  X with  a uniformly- chosen  random  tape  and  assigning  the  output 
to  y.  We  write  A{x]  r)  to  denote  the  deterministic  computation  of  A on 
input  X using  random  tape  r 

• If  5 is  a set,  then  x S denotes  that  x is  chosen  uniformly  at  random  S 

• A denotes  Boolean  conjunction  (the  AND  operator) 

• V denotes  Boolean  disjunction  (the  OR  operator) 

• 0 denotes  the  exclusive-or  (XOR)  operator;  this  operator  can  be  applied 
to  single  bits  or  entire  strings  (and  in  the  latter  case,  the  XOR  is  bitwise) 

• {0, 1}”  is  the  set  of  all  binary  strings  of  length  n 

• {0, 1}-”  is  the  set  of  all  binary  strings  of  positive  length  at  most  n 

• {0, 1}*  is  the  set  of  all  finite  strings  of  any  positive  length 

e 0”  (resp.,  1”)  denotes  the  string  comprised  of  n -zeroes  (resp.,  n ones) 

• ||:r||  denotes  the  length  of  the  binary  representation  of  the  (positive) 
integer  x,  written  with  leading  bit  1.  Note  that  logo;  < ||a:l|  < logo;  + 1 

• |a;|  denotes  the  length  of  the  binary  string  x (which  may  have  leading  Os), 
or  the  absolute  value  of  the  real  number  x 

• .G(-),©(-),f2(-),  a;(-)  see  Appendix  A.2 

• x\\y  and  (x,y)  are  used  interchangeably  to  denote  concatenation  of  the 
strings  x and  y 

• Pr[X]  denotes  the  probability  of  event  X 

• X :=  y means  that  the  variable  x is  assigned  the  value  y 

• logx  denotes  the  base-2  logarithm  of  x 
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Crypto-specific  notation; 

• n is  the  security  parameter 

• PPT  stands  for  “probabilistic  polynomial  time” 

• denotes  the  algorithm  A with  oracle  access  to  O 

• k typically  denotes  a secret  key  (as  in  private-key  encryption  and  MACs) 

• (pk,sk)  denotes  the  public/private  key-pair  (for  public-key  encryption 
and  digital  signatures) 

• negl  denotes  a negligible  fimction;  that  is,  a function  for  which  for  every 
polynomial  p(-)  there  exists  an  integer  N such  that  for  n > N it  holds 
that  fx(n)  < l/p{n). 

• poly(n)  denotes  an  arbitrary  polynomial 

• polylog(n)  denotes  poly(log(n)) 

• FunCn  denotes  the  set  of  functions  mapping  n-bit  strings  to  n-bit  strings 

• IV  denotes  an  initialization  vector  (used  for  block  cipher  modes  of  op- 
eration and  collision-resistant  hash  functions) 

Algorithms  and  procedures: 

• G denotes  a pseudorandom  generator . 

• F denotes  a keyed  function  that  is  typically  a pseudorandom  function 
or  permutation 

• (Gen,  Enc,  Dec)  denote  the  key  generation,  encryption,  and  decryption 
procedures,  respectively,  for  both  private-  and  public-key  encryption. 
For  the  case  of  private-key  encryption,  when  Gen  is  unspecified  it  is 
assumed  that  Gen(l”^)  outputs  k ^ {0, 1}”  chosen  uniformly  at  random. 

• (Gen,  Mac,  Vrfy)  denote  the  key  generation,  tag  generation,  and  verifica- 

tion procedures,  respectively,  for  a message  authentication  code.  When 
Gen  is  unspecified  it  is  assumed  that  Gen(l”^)  outputs  k <—  {0, 1}”  chosen 
uniformly  at  random.  . , 

• (Gen,  Sign,  Vrfy)  denote  the  key-generation,  signature  generation,  and 
verification  procedures,  respectively,  for  a digital  signature  scheme. 

• Gen  Prime  denotes  a probabilistic  polynomial-time  algorithm  that,  on 
i|^put  1”^,  outputs  an  n-bit  prime  except  with  probability  negligible  in  n. 
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• GenModulus  denotes  a probabilistic  polynomial-time  algorithm  that,  on 
input  1”,  outputs  outputs  {N,p^q)  where  N = pq  and  (except  with 
negligible  probability)  p and  q are  n-bit  primes. 

• GenRSA  denotes  a probabilistic  polynomial-time  algorithm  that,  on  in- 
put 1”,  outputs  a modulus  N,  an  integer  e > 0 with  gcd(e,  <f{N))  = 1, 
and  an  integer  d satisfying  ed  = 1 mod  4>{N).  Except  with  negligible 
probability,  is  a product  of  two  n-bit  primes. 

• Q denotes  a probabilistic  polynomial-time  algorithm  that,  on  input  1”, 
outputs  (except  with  negligible  probability)  a description  of  a cyclic 
group  G (where  the  group  operation  in  G can  be  computed  in  time 
poly(n)),  the  group  order  q (with  ||g'||  = n),  and  a generator  ^ € G. 

Number  theory: 

• Z denotes  the  set  of  integers 

• o I 6 means  a divides  b 

• a/b  means  that  a does  not  divide  b 

• gcd(o,  6)  denotes  the  greatest  common  divisor  of  a and  b 

• [o  mod  6]  denotes  the  remainder  of  a when  divided  by  b.  Note  that 
0 < [a  mod  b]  < b. 

i 

} 

• xi  = X2  = • ■ • = Xn  mod  N rneans  that  xi, . . .,Xn  are  all  congruent 
modulo  N 

Note:  X ^ y vaod  N means  that  a and' h nre  congruent  modulo  N, 
whereas  x — [ymodA^]  means  that  x is  equal  to  the  remainder  of  y 
when  divided  by  A^. 

• Ziv  denotes  the  additive  group  of  integers  modulo  N and  sometimes  the 
set  {0, . . . , A^  — 1} 

• Z^  denotes  the  multiplicative  group  of  invertible  integers  modulo  N 
(i.e.,'  those  that  are  relatively  prime  to  N) 

• 4>{N)  denotes  the  size  of  Z^ 

• G and  M denote  groups 

• Gi  ~ G2  means  that  groups  Gi  and  G2  are  isomorphic.  If  this  isomor- 
phism is  given  by  / and  f{xi)  = X2  then  we  write  xi  ^ X2 

• g is  typically  a generator  of  a group 

• logg  h denotes  the  discrete  logarithm  of  h to  the  base  g 


• (g)  denotes  the  group  generated  by  g 

• p and  q usually  denote  primes 

• N typically  denotes  the  product  of  two  distinct  primes  p and  q of  equal 
length 

• QT^p  is  the  set  of  quadratic  residues  modulo  p 

• QA/* 'R.p  is  the  set  of  quadratic  non- residues  modulo  p 

• <Jp{x)  is  the  Jacobi  symbol  of  x modulo  p 

• elements  with  Jacobi  symbol  -|-1  modulo  N 

• is  the  set  of  elements  with  Jacobi  symbol  —1  modulo  N 

• QM'R'^  is  the  set  of  quadratic  non-quadratic  residues  modulo  N having 
Jacobi  symbol  -|-1 
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Mathematical  Background 


A.l  Identities  and  Inequalities 

We  list  some  standard  identities  and  inequalities  that  are  used  at  various 
times  throughout  the  text. 


THEOREM  A.l  (Binomial  Expansion  Theorem)  Let  x,y  be  real 
numbers,  and  let  n be  a positive  integer.  Then 

(x  + yr  = ^{^\x‘y’‘-\ 

t=0  ^ 

PROPOSITION  A.2  For  all  x > 1 it  holds  that  (1  — 1/x)^  < e~^. 
PROPOSITION  A.3  For  all  x it  holds  that  1 — x < e~^ . 
PROPOSITION  A.4  For  all  x with  0 < x < 1 it  holds  that 


A.2  Asymptotic  Notation 

We  follow  the  standard  notation  for  expressing  the  asymptotic  behavior  of 
functions. 

DEFINITION  A.5  Let  f{n),g{n)  be  functions  from  non-negative  integers 
to  non-negative  reals.  Then: 

• f{n)  = 0{g{n))  means  that  there  exist  positive  integers  c and  n'  such 
that  for  all  n > n'  it  holds  that  f{n)  < c ■ g{n). 
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• f{n)  — ^{g{n))  means  that  there  exist  positive  integers  c and  n'  such 
that  for  all  n > n'  it  holds  that  f(n)  > c • g{n) . 

• /(^)  ==  Tneans  that  f{n)  — 0{g{n))  and  f{n)  = fl{g{n)). 

• /(^)  ==  o{g{n))  means  that  lim„_.„oo  = 0. 

• /(^)  = means  that  lim„__>oo  = oo. 


Example  A. 6 

Let  /(n)  = + 3n  + 500.  Then: 

• /(^)  = 0{n‘^). 

• fiP')  — ^{n^)‘  In  fact,  /(n)  = o(n^). 

• /(n)  = ri(n^logn).  In  fact,  /(n)  = co{n^logn). 

• f{n)  = 0(n^). 

0 


A. 3 Basic  Probability 

We  assume  the  reader  is  familiar  with  basic  probability  theory,  on  the  level 
of  what  is  covered  in  a typical  undergraduate  course  on  discrete  mathematics. 
Here  we  simply  remind  the  reader  of  some  notation  and  basic  facts. 

If  E is  an  event,  then  E denotes  the  complement  of  that  event;  i.e.,  E is  the 
event  that  E does  not  occur.  By  definition,  Pr[£^]  = 1 — Pr[.E].  If  E\  and  E2 
are  events,  then  E\  A E2  denotes  their  conjunction;  i.e.,  E\  A £^2  is  the  event 
that  both  El  and  £2  occur.  By  definition,  Pr[£i  A £2]  < Pr[£i].  Events  £1 
and  £2  are  said  to  be  independent  if  Pr[£i  A £2]  = Pr[£i]  • Pr[£2]. 

If  £1  and  £2  are  events,  then  £1  V £2  denotes  the  disjunction  of  £1  and 
£2;  that  is,  £1  V £2  is  the  event  that  either  £1  or  £2  occur.  It  follows  from 
the  definition  that  Pr[£i  V £2]  > Pr[£i].  The  union  hound  is  often  a very 
useful,  upper-bound  of  this  quantity. 


PROPOSITION  A.  7 (Union  Bound) 

Pr[£i  V £2]  < Pr[£i]  -|-  Pr[£2]. 

Repeated  application  of  the  union  bound  for  any  events  £1 , . . . , £fc  gives 

k 


Pr 


k 

\/  E, 

U=i 


<^Pr[iSj. 
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Let  En  be  events  such  that  Pr[£^i  V • • • = 1 and  Pr[£^i  = 

0 for  all  i 7^  j.  That  is,  the  partition  the  space  of  all  possible  events,  so 
that  with  probability  1 exactly  one  of  the  events  Ei  occurs.  Then 

n 

Pr[F]  = ^Pr[F 

i=  1 

A special  case  is  when  n = 2 and  E2  — E\^  giving 

Pr[F]  = Pr[F  A Ex\  + Pr[F  A .^1]. 


The  conditional  probability  of  E\  given  E2,  denoted  Pr[£^i  | E2],  is  defined 


as 


Pr[E^  I E2] 


def  PriE"!  A E2] 

Pr[^;2] 


as  long  as  Pr[£^2]  7^  0.  (If  Pr[£^2]  = 0 then  Pr[£^i  | E<^  is  undefined.)  This 
represents  the  probability  that  event  E\  occurs  once  it  is  given  that  event  E2 
has  occurred.  It  follows  immediately  fi-om  the  definition  that 


Pr[£^i  A E2]  = Pr[£^i  | E2]  ■ Pr[£?2] ; 


equality  holds  even  if  Pr[£^2]  = 0 as  long  as  we  interpret  multiplication  by 
zero  on  the  right-hand  side  in  the  obvious  way. 

We  can  now  easily  derive  Bayes’  theorem. 


THEOREM  A.8  (Bayes’ 

Pr[Ei  I 


Theorem)  If  Pr[E2]  7^  0 then 
„ , Pr[Bi]  • Pr(E2  I £,] 

vm  ■ 


PROOF  We  have 


Pr[£7i 


Pr[£'i  A E2[ 

Pr[^;2] 

Pr[£;2  A El] 

Pr[B2] 

Pr[g2  I El]  ■ Pr[gi] 

Pr[B2| 
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A.4  The  “Birthday”  Problem 

If  we  choose  q elements  yi,. . . ,yq  uniformly  at  random  from  a set  of  size  N, 
what  is  the  probability  that  there  exist  distinct  i,j  with  yi  = t/j?  We  refer 
to  the  stated  event  as  a collision,  and  denote  the  probability  of  this  event  by 
co\\{q,N).  This  problem  is  related  to  the  so-called  birthday  problem  which 
asks  what  size  group  of  people  do  we  need  to  take  such  that  with  proba- 
bility 1/2  some  pair  of  people  in  the  group  share  a birthday?  To  see  the 
relationship,  let  yi  denote  the  birthday  of  the  ith  person  in  the  group.  If 
there  are  q people  in  the  group  then  we  have  q values  yi,  - ■ ■ ,yq  chosen  uni- 
formly from  {1, . . . , 365},  making  the  simplifying  assumption  that  birthdays 
are  uniformly  and  independently  distributed  among  the  365  days  of  a non-leap 
year.  Furthermore,  matching  birthdays  correspond  to  a collision,  i.e.,  distinct 
i,j  with  yi  = yj.  So  the  desired  solution  to  the  birthday  problem  is  given 
by  the  minimal  (integer)  value  of  q for  which  coll(q',  365)  >1/2.  (The  answer 
may  surprise  you  — taking  q = 23  people  suffices!) 

In  this  section,  we  prove  coarse  lower  and  upper  bounds  on  coll(q',  N).  Taken 
together  and  summarized  at  a high  level,  they  show  that  if  q'  < y/N  then 
the  probability  of  a collision  is  Q{q'^/N);  alternately,  for  q = Q{\/N)  the 
probability  of  a collision  is  constant. 

An  upper  bound  for  the  collision  probability  is  easy  to  obtain. 


LEMMA  A. 9 Fix  a positive  integer  N,  and  say  q elements  yi,  ■ . . ,yq  are 

chosen  uniformly  and  independently  at  random  from  a set  of  size  N.  Then  the 

2 

probability  that  there  exist  distinct  i,  j with  yi  = yj  is  at  most  ^ . That  is, 


coll(^,  N)  < 


2N' 


PROOF  The  proof  is  a simple  application  of  the  union  bound  (Proposi- 
tion A. 7).  Recall  that  a collision  means  that  there  exist  distinct  i,j  with 
Vi  = Vj-  Let  Coll  denote  the  event  of  a collision,  and  let  Colhj  denote  the 
event  that  yi  = yj.  It  is  immediate  that  Pr[Collij]  = 1/N  for  any  distinct 
i,j.  Furthermore,  Coll  = Vi^/Lolhj  and  so  repeated  application  of  the  union 
bound  implies  that 


Pr[Coll]  = Pr 


V Colli  j 


- X^Pr[Coll,:j]  = 
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LEMMA  A.  10  Fix  a positive  integer  N , and  say  q < y/2N  elements 
2/i  7 • - ■ 5 2/g  chosen  uniformly  and  independently  at  random  from  a set  of 

size  N . Then  the  probability  that  there  exist  distinct  i,j  with  yi  = yj  is  at 
least  - . That  is, 


co\\{q,N)  > 


g(g-l) 

4N  ■ 


PROOF  Recall  that  a collision  means  that  there  exist  distinct  i,j  with 
yi  = yj.  Let  Coll  denote  this  event.  Let  NoColh  be  the  event  that  there 
is  no  collision  among  y\,...,yi',  that  is,  yj  ^ yk  for  all  j < k < i.  Then 
NoCollq  = Coll  is  the  event  that  there  is  no  collision  at  all. 

If  NoCollq  occurs  then  NoColli  must  also  have  occurred  for  all  i < q.  Thus, 

Pr[NoCollg]  = Pr[NoColli]  • PrfNoColb  | NoColli]  • - - Pr[NoCollg  | NoCollg_i]. 

Now,  PrfNoColli]  = 1 since  yi  cannot  collide  with  itself.  Furthermore,  if  event 
NoColli  occurs  then  {yi,  ■ ■ ■ ,Vi}  contains  i distinct  values;  so,  the  probability 
that  yi-^.l  collides  with  one  of  these  values  is  and  hence  the  probability  that 
yi+i  does  not  collide  with  any  of  these  values  is  1 — This  means 

Pr[NoColli+i  I NoColli]  1 — 


and  so 

PtlNoCollJ  = n (l  - . 

i=l  ^ ^ 

Since  ifN  < 1 for  all  i,  we  have  1 — (by  Inequality  A. 3)  and  so: 

Pr[NoCollq]  < n ^-i/N  ^ ^ g-q(q-l)/2Ar 

i=l 

We  conclude  that 

Pr[Coll]  = 1 - Pr[NoCoiy  > 1 - , 

using  Inequality  A.4  in  the  last  step  (note  that  q{q  — 1)/27V  < 1).  | 
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Supplement  ary  Algorithmic  Number 
Theory 


For  the  cryptographic  constructions  given  in  this  book  to  be  efficient  (i.e., 
to  run  in  time  polynomial  in  the  lengths  of  their  inputs),  it  is  necessary  for 
these  constructions  to  utilize  efficient  (that  is,  polynomial-time)  algorithms  for 
performing  basic  number-theoretic  operations.  Though  in  some  cases  these 
number-theoretic  algorithms  are  trivial,  it  is  still  worthwhile  to  pause  and  con- 
sider their  efficiency  since  for  cryptographic  applications  it  is  not  uncommon 
to  use  integers  that  are  thousands  of  bits  long.  In  other  cases  the  algorithms 
themselves  are  quite  clever,  and  an  analysis  of  their  performance  may  rely  on 
non-trivial  group-theoretic  results. 

In  Appendix  B.l  we  describe  basic  algorithms  for  integer  arithmetic.  Here 
we  cover  the  familiar  algorithms  for  addition,  subtraction,  etc.  as  well  as 
the  Euclidean  algorithm  for  computing  greatest  common  divisors.  We  also 
discuss  the  extended  Euclidean  algorithm,  assuming  for  that  discussion  that 
the  reader  has  covered  the  material  in  Section  7.1.1. 

In  Appendix  B. 2 we  show  various  algorithms  for  modular  arithmetic.  In 
addition  to  a brief  discussion  of  basic  modular  operations  (i.e.,  modular  re- 
duction, addition,  multiplication,  and  inversion),  we  discuss  algorithms  for 
problems  that  are  less  commonly  encountered  outside  the  field  of  cryptogra- 
phy: exponentiation  modulo  N (as  well  as  in  arbitrary  groups)  and  choosing  a 
random  element  of  Ztv  or  (or  in  an  arbitrary  group).  This  section  assumes 
familiarity  with  the  basic  group  theory  covered  in  Section  7.1. 

The  material  listed  above  is  used  implicitly  throughout  the  second  half 
of  the  book,  though  it  is  not  absolutely  necessary  to  read  this  material  in 
order  to  follow  the  book.  (In  particular,  the  reader  willing  to  accept  the 
results  of  this  Appendix  without  proof  can  simply  read  the  summary  of  these 
results  in  the  theorems  below.)  Appendix  B.3,  which  discusses  the  issue  of 
finding  generators  in  cyclic  groups  and  assmnes  the  results  of  Section  7.3.1, 
contains  material  that  is  hardly  used  at  all;  it  is  included  for  completeness 
and  reference. 

Since  our  goal  is  only  to  establish  that  certain  problems  can  be  solved  in 
polynomial  time,  we  have  opted  for  simplicity  rather  than  efficiency  in  our 
selection  of  algorithms  and  their  descriptions  (as  long  as  the  algorithms  run 
in  polynomial  time).  For  this  reason,  we  generally  will  not  be  interested  in 
the  exact  running  time  of  the  algorithms  we  present  beyond  establishing  that 
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they  indeed  run  in  polynomial  time.  The  reader  who  is  seriously  interested 
in  implementing  these  algorithms,  is  forewarned  to  look  at  other  sources  for 
more  efficient  alternatives  as  well  as  various  techniques  for  speeding  up  the 
necessary  computations. 

The  results  in  this  Appendix  are  summarized  by  the  theorems  that  follow. 
Throughout,  we  assume  that  any  integer  a provided  as  input  is  written  using 
exactly  ||a||  bits;  i.e.,  the  high-order  bit  is  1.  In  Appendix  B.l  we  show: 


THEOREM  B.l  (Integer  Operations)  Given  integers  a and  b,  it  is 
possible  to  perform  the  following  operations  in  time  polynomial  in  ||a||  and  ||6||; 

1.  Compute  the  sum  a + b and  the  difference  a — b; 

2.  Compute  the  product  ab 

3.  Compute  positive  integers  q and  r < b such  that  a = qb  + r {i.e.,  Com- 
pute division  with  remainder); 

4.  Compute  the  greatest  common  divisor  of  a and  b,  gcd(o,6); 

5.  Compute  integers  X,  Y with  Xa-\-  Yb  = gcd(a,  b). 

The  following  results  are  proved  in  Appendix  B.2: 


THEOREM  B.2  (Modular  Operations)  Given  integers  N > a, 
and  b,  it  is  possible  to  perform  the  following  operations  in  time  polynomial 
* IHI,  ||6||,  and||Ar||; 

1.  Compute  the  modular  reduction  [a  mod  TV]; 

2.  Compute  the  sum  [(a-|-  b)  mod  TV],  the  difference  [(a  — 6)  mod  TV],  and 
the  product  [ab  mod  TV]; 

3.  Determine  whether  a is  invertible  modulo  TV; 

4-  Compute  the  multiplicative  inverse  [a“^  mod  TV],  assuming  a is  invert- 
ible modulo  TV; 

5.  Compute  the  exponentiation  [a^  mod  TV]; 

The  following  generalizes  Theorem  B.2(4)  to  arbitrary,  groups: 

THEOREM  B. 3 (Group  Exponentiation)  Let  G be  a group,  written 
multiplicatively.  Let  g be  an  element  of  the  group  and  let  b be  a non-negative 
integer.  Then  g^  can  be  computed  using  poly(||6||)  group  operations. 
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THEOREM  B.4  (Choosing  Random  Elements)  There  exists  a ran- 
domized algorithm  with  the  following  properties:  on  input  N , 

• The  algorithm  runs  in  time  polynomial  in  ||A^||; 

• The  algorithm  outputs  fail  with  probability  negligible  in  ||A^||;  and 

• Conditioned  on  not  outputting  fail,  the  algorithm  outputs  a uniformly- 
distributed  element  o/Z^v- 

An  algorithm  with  analogous  properties  exists  for  Z^  as  well. 

By  way  of  notation,  we  let  x <—  Z^v  denote  the  random  selection  of  an  ele- 
ment X from  Zjv  using,  e.g.,  the  algorithm  guaranteed  by  the  above  theorem 
(with  analogous  notation  for  Z^).  Since  the  probability  of  outputting  fail  is 
negligible,  we  ignore  it  (and  instead  leave  this  possibility  implicit).  In  Ap- 
pendix B.2  we  also  discuss  generalizations  of  the  above  to  the  case  of  selecting 
a random  element  from  any  finite  group. 

A proof  of  the  following  is  in  Appendix  B.3: 

THEOREM  B.5  (Testing  and  Finding  Generators)  Let  G be  a cyclic 
group  of  order  q,  and  assume  that  the  group  operation  and  the  selection  of  a 
random  group  element  can  be  carried  out  in  unit  time. 

1.  There  exists  an  algorithm  that  on  input  q,  the  prime  factorization  of  q, 
and  an  element  g €lG,  runs  in  poly(||g||)  time  and  correctly  determines 
whether  or  not  g is  a generator  ofG. 

2.  There  exists  a randomized  algorithm  that. on.. input  q.. and  the. prime  fac- 
torization of  q,  runs  in  poly([|g||)  time  and  outputs  a generator  of  G 
except  with  probability  negligible  in  ||g||.  Conditioned  on  the  output  be- 
ing a generator  it  is  uniformly-distributed  among  the  generators  ofG. 


B.l  Integer  Arithmetic 
B.1.1  Basic  Operations 

We  begin  our  exploration  of  algorithmic  number  theory  with  a discussion 
of  integer  addition/subtraction,  multiplication,  and  division  with  remainder. 
A little  thought  shows  that  all  these  operations  can  be  carried  out  in  time 
polynomial  in  the  input  length  using  the  standard  “grade-school”  algorithms 
for  these  problems.  For  example,  addition  of  two  positive  integers  a and  b 
with  a>  b can  be  done  in  time  linear  in  ||a||  by  stepping  one-by-one  through 
the  bits  of  a and  6,  starting  with  the  low-order  bits,  and  computing  the  cor- 
responding output  bit  and  a “carry  bit”  at  each  step.  (Details  are  omitted.) 
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Multiplication  of  two  n-bit  integers  a and  6,  to  take  another  example,  can  be 
done  by  first  generating  a list  of  n integers  of  length  at  most  2n  (each  of  which 
is  equal  to  a ■ 2*“^  • bi,  where  bi  is  the  ith  bit  of  b)  and  then  adding  these  n 
integers  together  to  obtain  the  final  result. 

Although  these  grade-school  algorithms  already  suffice  to  demonstrate  that 
the  aforementioned  problems  can  be  solved  in  polynomial  time,  it  is  interesting 
to  note  that  these  algorithms  are  in  some  cases  not  the  best  ones  available.  As 
an  example,  the  simple  algorithm  for  multiplication  given  above  runs  in  time 
0{n^)  to  multiply  two  n-bit  integers,  but  there  exists  an  alternate  algorithm 
running  in  time  (9(n*°®2  3^  (and  even  that  is  not  the  best  possible).  While  the 
difference  is  insignificant  for  numbers  of  the  size  we  encounter  daily,  it  becomes 
noticeable  when  the  numbers  are  large.  In  cryptographic  applications  it  is  not 
uncommon  to  use  integers  that  are  thousands  of  bits  long  (i.e.,  n > 1000), 
and  a judicious  choice  of  which  algorithms  to  use  then  becomes  critical. 

B.1.2  The  Euclidean  and  Extended  Euclidean  Algorithms 

Recall  from  Section  7.1  that  gcd(a,  6),  the  greatest  common  divisor  of  two 
integers  a and  6,  is  the  largest  integer  d that  divides  both  a and  6.  We  state 
an  easy  proposition  regarding  the  greatest  common  divisor,  and  then  show 
how  this  leads  to  an  efficient  algorithm  for  computing  gcd’s. 

PROPOSITION  B,6  Leta,b>l  withbj(a.  Then 

gcd(a,  6)  = gcd(6,  [a  mod  6]). 

PROOF  If  b > a the  stated  claim  is  immediate.  So  assume  a > b.  Write 
a = qh  + r for  g,  r positive  integers  and  r <b  (cf.  Proposition  7.1);  note  that 
r > 0 because  b/a.  Since  r = [a  mod  b],  we  prove  the  proposition  by  showing 
that  gcd(a,  6)  = gcd(6,  r). 

Let  d = gcd(a,  6).  Then  d divides  both  a and  6,  and  so  d also  divides 

r = a — qb.  By  definition  of  the  greatest  common  divisor,  we  thus  have 

gcd(6,  r)  >d  = gcd(a,  b). 

• . Let  d'  = gcd(6,  r).  Then  d'  divides  both  b and  r,  and  so  d'  also  divides 

a = qb  r.  By  definition  of  the  greatest  common  divisor,  we  thus  have 

gcd(a,6)  > d' = gcd(6,  r). 

Since  d>  d'  and  d'  > d,  we  conclude  that  d — d'.  | 

The  above  proposition  suggests  the  recursive  Euclidean  algorithm  (Algo- 
rithm B.7)  for  computing  the  greatest  common  divisor  gcd(a,  b)  of  two  integers 
a and  b. 

Correctness  of  the  algorithm  follows  readily  from  Proposition  B.6.  As  for  its 
running  time,  we  show  below  that  on  input  (a,  b)  the  algorithm  makes  fewer 
than  2 • ||6||  recursive  calls.  Since  checking  whether  b divides  a and  compijjting 
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ALGORITHM  B.7 

The  Euclidean  algorithm  GCD 

Input:  Integers  a,  6 with  a > 6 > 0 

Output:  The  greatest  common  divisor  of  a and  h 

if  h divides  a 

return  h 

else  return  GCD(6,  [a  mod  6]) 

[a  mod  6]  can  both  be  done  in  time  polynomial  in  ||a||  and  ||6||,  this  implies 
that  the  entire  algorithm  runs  in  polynomial  time. 

PROPOSITION  Bi8  Consider  an  execution  o/GCD(ao,  ho),  and  let  ai,bi 
{for  i = denote  the  arguments  to  the  ith  recursive  call  of  GCD.  Then 

bi+2  < bi/2  for  0 < i < £ — 2. 

PROOF  Since  6^+1  = [oi  mod  bi],  we  always  have  bi+i  < bi  and  so  the  {6i} 
decrease  as  i increases.  Fixing  arbitrary  i with  0<i<^  — 2,  we  show  that 
bi+2  < hi/2.  If  hij^i  < hi/2  we  are  done  (because  6i+2  < &i+i)-  Otherwise,  we 
have  bi+i  > bi/2.  Now,  since  Oi+i  = hi,  the  {i  + l)st  recursive  call  is 

GCD(ai4.i , 6i+i)  = GCD(6t, 

and 

bi+2  = [ai+i  mod  6i+i]  = [bi  mod  6i+i]  = bi  — h+i  < bi/2, 

using  the  fact  that  b{  > bi+i  > 6i/2  for  both  the  third  equality  and  the  final 
inequality.  | 

COROLLARY  B.9  In  an  execution  of  algorithm  GCD(a,  6),  there  are  at 
most  2 ||6||  — 2 recursive  calls  to  GCD. 

PROOF  Let  Oi,bi  (for  i = 1, . . . ,£)  denote  the  arguments  to  the  ith  recur- 
sive call  of  GCD.  The  {6i}  are  always  greater  than  zero,  and  the  algorithm 
makes  no  further  recursive  calls  if  it  ever  happens  that  bi  = 1 (since  then 
bi  I Ui).  The  previous  proposition  indicates  that  the  {6^}  decrease  by  a mul- 
tiplicative factor  of  (at  least)  2 in  every  two  iterations.  It  follows  that  the 
number  of  recursive  calls  to  GCD  is  at  most  2 • (||6||  — 1).  | 


The  Extended  Euclidean  Algorithm 

By  Proposition  7.2,  we  know  that  for  positive  integers  a,  b there  exist  inte- 
gers X,  Y with  Xa  + Yb  = gcd(a,  b).  A simple  modification  of  the  Euclidean 
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ALGORITHM  B.IO 

The  extended  Euclidean  algorithm  eGCD 

Input:  Integers  a,  b with  a > 6 > 0 

Output:  (d,  X,  Y)  with  d = gcd(a,  b)  and  Xa  + Yb  = d 

if  b divides  a 

return  (6, 0, 1) 
else 

Compute  integers  q,  r with  a — gb  -\-r  and  0 < r < 6 
(d,  X,  Y)  eGCD(b,  r)  /*  note  that  Xb  -^Yr  — d */ 
return  (d,  Y,X  — Yq) 


algorithm,  called  the  extended  Euclidean  algorithm^  can  be  used  to  find  X,  Y 
in  addition  to  computing  gcd(a,6);  see  Algorithm  B.IO  above.  You  are  asked 
to  show  correctness  of  the  extended  Euclidean  algorithm  in  Exercise  B.l,  and 
to  prove  that  the  algorithm  runs  in  polynomial  time  in  Exercise  B.2. 


B.2  Modular  Arithmetic 

We  now  turn  our  attention  to  some  basic  arithmetic  operations  modulo  N . 
In  this  section,  iV  > 1 is  arbitrary  unless  stated  otherwise.  We  will  use 
to  refer  both  to  the  set  {0, . . . , JV  — 1}  as  well  as  to  the  group  that,  results  by 
considering  addition  modulo  N .ajnpng,  the  dements  pf  this  set.  We  use 
similarly.  > , 


B.2.1  Basic  Operations 

Efficient  algorithms  for  the  basic  arith'riieti  operations  over  the  integers 
immediately  imply  efficient  algorithms  for  the  corresponding  arithmetic  oper- 
ations modulo  N.  For  example,  computing  the  modular  reduction  [a  mod  N] 
can  be  done  in  time  polyhbrnial  in  ||o|j  and  ||iV|)  by  simply  computing  division- 
with-remainder  over  the  integers.  Next)  say  ||iV||  = n and  cohdder  modular 
operations  oh  two  eleifieih?  ^ Ziv-  (!^6te  idiat  a^  h'  ha^ 

Actually,  it  is  cohyeriieht  to  simpiy  require  that  all  elements  of  Z^  , have  lengt 
exactly  n,  padding  to  the  left  With  Os  if  nece^myO  Addition  of  a and  6 inod- 
iilo  TV  can  be  done  by  first  corriputing  a -P  6,  which  is  an  integer  of  length  at 


most  n -k  1,  and  then  reducing  this  intermediate  result  modulo  N.  Similarly, 
multiplication  modulo  N can  be  performed  by  first  computing  the  integer  ab 
of  length  at  most  2n,  and  then  reducing  the  result  modulo  W-  Siiice  addition, 
multiplication,  and  di vision- with-remainder  can  all  be  done  in  polynomial 
time,  these  give  polynomial-time  algorithms  for  addition  and  multiplication 


modulo  N. 
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B.2.2  Computing  Modular  Inverses 

Our  discussion  thus  far  has  shown  how  to  add,  subtract,  and  multiply  mod- 
ulo N.  One  operation  we  are  missing  is  “division”  or,  equivalently,  computing 
multiplicative  inverses  modulo  N.  Recall  from  Section  7.1.2  that  the  multi- 
plicative inverse  (modulo  N)  of  an  element  a G Z^v  is  an  element  G Z^v 
such  that  a ■ a~^  = 1 mod  N.  Proposition  7.7  shows  that  a has  an  inverse 
if  and  only  if  gcd(a,  iV)  = 1,  i.e.,  if  and  only  if  a G Z^.  Thus,  using  the 
Euclidean  algorithm  we  can  easily  determine  whether  a given  element  a has 
a multiplicative  inverse  modulo  N. 

Given  N and  a E Ijn  with  gcd(a,  A^)  = 1,  Proposition  7.2  tells  us  that 
there  exist  integers  X,  Y with  Xa  + YN  = 1.  Recall  that  [X  mod  N]  is  the 
multiplicative  inverse  of  a;  this  holds  since 

[A:  mod  iV]  ■ a = Xa  = 1 - yiV  = 1 mod  N. 

Integers  X and  Y satisfying  Xa  + YN  — 1 can  be  found  efficiently  using  the 
extended  Euclidean  algorithm  eGCD  shown  in  Section  B.1.2.  This  leads  to  the 
following  polynomial- time  algorithm  for  computing  multiplicative  inverses: 


ALGORITHM  B.ll 
Computing  modular  inverses 

Input:  Modulus  TV;  element  a 
Output:  [a“^  mod  TV]  (if  it  exists) 

(d,X,Y)  :=  eGCD(a,  TV)  /*  note  that  Xa  + YN  = gcd(a,  TV)  */ 
if  d 7^  1 return  “a  is  not  invertible  modulo  TV” 
else  return  [X  mod  TV] 


B.2.3  Modular  Exponentiation 

A more  challenging  task  is  that  of  exponentiation  modulo  TV;  that  is,  com- 
puting [o^  mod  TV]  for  base  a ETjn  and  integer  exponent  6 > 0.  (When  6 = 0 
the  problem  is  easy.  When  6 < 0 and  a G Z^  then  a^  = (a“^)”^  mod  TV 
and  the  problem  is  reduced  to  the  case  of  exponentiation  with  a positive 
exponent  given  that  we  can  compute  inverses  as  discussed  in  the  previous 
section.)  Notice  that  the  basic  approach  used  in  the  case  of  addition  and 
multiplication  (i.e.,  computing  the  integer  a^  and  then  reducing  this  inter- 
mediate result  modulo  TV)  does  not  work  here:  the  integer  a^  has  length 
Ija^ll  = 0(loga^)  = 0(6  • Ijall),  and  so  even  storing  the  intermediate  result 
would  require  time  that  is  exponential  in  ||6||  = 0(log6). 

We  can  address  this  problem  by  reducing  modulo  TV  repeatedly  through- 
out the  process  of  computing  the  result,  rather  than  waiting  until  the  end 
to  reduce  rpodulo  TV.  This  has  the  effect  of  keeping  the  intermediate  results 
“small”  throughout  the  computation.  Even  with  this  important  initial  obser- 
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vation,  it  is  still  non-trivial  to  design  a polynomial-time  algorithm  for  modular 
exponentiation.  Consider  the  following  naive  approach; 


ALGORITHM  B.12 

A naive  algorithm  for  modular  exponentiation 

Input:  Modulus  N;  base  a G Zjv;  integer  exponent  6 > 0 
Output:  [a**  mod  N] 

X :=  1 

for  i = 1 to  b: 

X :=  X • a mod  N 

return  x 


Since  this  algorithm  uses  b iterations  of  the  inner  loop,  it  still  runs  in  time 
that  is  exponential  in  ||6||. 

The  naive  algorithm  given  above  can  be  viewed  as  relying  on  the  following 
recurrence: 

[a**  mod  A^]  = [a  • mod  A^]  = [a  • a • mod  A^]  = • • • , 

and  could  easily  have  been  written  recursively  in  which  case  the  correspon- 
dence would  be  even  more  clear.  Looking  at  the  above  equation,  we  see  that 
any  algorithm  depending  on  this  recurrence  will  require  0(6)  time.  We  can 
do  better  by  making  use  of  the  following  recurrence: 

when  6 is  even  - / 
when  6 is  odd. 

Following  this  approach  leads  to  a recursive  algorithm  — called,  for  obvious 
reasons,  “square-and-multiply”  (or  sometimes  “repeated  squaring”)  — ^ that 
requires  only  C>(log6)  = 0(||6||)  modular  squarings/multiplications;  see  Algo- 
rithm B.13.  In  the  algorithm,  the  length  of  6 decreases  by  1 in  each  recursive 
call;  it  follows  that  the  number  of  recursive  calls  is  at  most  ||6||.  Furthermofej 
the  operations  carried  out  during  each  recursive  call  can  be  performed  in  time 
polynomial  in  ||a||  and  \\N\\.  It  follows  that  the  algorithm  as  a whole  runs  in 
time  polynomial  in  ||a||,  ||6||,  and  HA’II-  Looking  carefully  at  the  algorithm,  we 
see  that  it  performs  at  most  2 ■ ||6||  multiplications-plus-reductions  modulo  N. 
Algorithm  B.13  is  written  recursively  for  ease  of  understanding.  In  practice, 
for  reasons  of  efficiency,  an  iterative  algorithm  is  preferred.  See  Exercise  B.3. 

Fix  a and  AT  and  consider  the  modular  exponentiation  function  given  by 
/a, AT (6)  = [a^  mod  N].  We  have  just  seen  that  computing  fa,N  is  easy.  In 
contrast,  computing  the  inverse  of  this  furiction  — that  is,  computing  6 given 
a,  A,  and  [a^  mod  N]  — is  believed  to  be  hard  for  appropriate  choice  of  a 


[a^  mod  N]  = 


[(“*) 

a • ^ mod  N 


mod  N 
2 
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ALGORITHM  B.13 

Algorithm  Mod  Exp  for  efficient  modular  exponentiation 

Input:  Modulus  N\  base  a G Ziv;  integer  exponent  6 > 0 
Output:  [a**  mod  N] 

if  6 = 1 return  a 
else 

if  6 is  even 

t :=  ModExp  (N,a,b/2) 
return  mod  N] 
if  b is  odd 

t :=  ModExp  (N,  a,  (b  — l)/2) 
return  [a  • t^  mod  N] 


and  N.  Inverting  the  modular  exponentiation  function  is  known  as  solving 
the  discrete  logarithm  problem,  something  we  discuss  in  detail  in  Section  7.3.2. 

Exponentiation  in  Arbitrary  Groups 

The  efficient  modular  exponentiation  algorithm  given  above  carries  over  in 
a straightforward  way  to  enable  efficient  exponentiation  in  any  group,  as  long 
as  the  underlying  group  operation  can  be  performed  efficiently.  Specifically, 
if  G is  a group  and  g is  an  element  of  G,  then  g^  can  be  computed  using  at 
most  2 • ||6||  applications  of  the  underlying  group  operation. 

If  the  order  q oi  G is  known,  then  a^  — (cf.  Proposition  7.49)  and 

this  can  be  used  to  further  speed  up  the  computation  by  reducing  b modulo  q 
first..  This  remark  applies  also  to  the  modular  exponentiation  algorithms 
described  earlier. 

Considering  the  (additive)  group  Z^v,  the  group  exponentiation  algorithm 
just  described  gives  a method  for  computing  the  “exponentiation” 

[b  • g mod  N]  ^ [p  + * • • + P nlodiV] 

6 times 

that  differs  from  the  rnethod  discussed  earlier  that  relies  on  standard  integer 
multiplication  followed  by  a modular  reduction.  In  comparing  the  two  ap- 
proaches to  solving  the  same  problem,  note  that  the  original  algorithm  uses 
specific  information  about  Z^v;  in  particular,  it  (essentially)  treats  the  “ex- 
ponent” b as  an  element  of  Zn  (possibly  by  reducing  b modulo  N first).  In 
contrast,  the  “square- and-multiply”  algorithm  just  presented  treats  Zn  only 
as  an  abstract  group.  (Of  course,  the  group  operation  of  addition  modulo  N 
relies  on  the  specifics  of  Z^r-) 

The  point  of  this  discussion  is  merely  to  illustrate  that  some  group  algo- 
rithms are  generic  (i.e.,  they  apply  equahy  well  to  all  groups)  while  some 
group  algorithms  rely  on  specific  properties  of  a particular  group  or  class  of 
groups.  We  saw  some  examples  of  this  phenomenon  in  Chapter  8. 
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B.2.4  Choosing  a Random  Group  Element 

For  cryptographic  applications,  it  is  often  required  to  choose  a random 
element  of  a given  group  G.  (Recall  our  convention  that  “random”  means 
“uniformly  distributed.”)  We  first  treat  the  problem  in  an  abstract  group, 
and  then  focus  specifically  on  the  cases  of  Z;v  and 

Elements  of  a group  G must  be  specified  using  some  representation  of  these 
elements  as  bit-strings,  where  we  assume  without  any  real  loss  of  generality 
that  the  elements  of  a given  group  are  all  represented  using  strings  of  the 
same  length.  (It  is  also  crucial,  especially  for  Our  discussion  in  this  section, 
that  there  is  a unique  string  representing  each  group  element.)  For  example, 
if  II  iV  1 1 = n then  elements  of  Z^r  can  all  be  represented  as  strings  of  length  n, 
where  the  integer  a G Zjv  is  simply  padded  to  the  left  with  Os  in  case  ||a||  < n. 

We  do  not  focus  much  on  the  issue  of  representation,  since  for  all  the  groups 
considered  in  this  text  the  representation  can  simply  be  taken  to  be  the  “nat- 
ural” one  (as  in  the  case  of  Z;v,  above).  Note,  however,  that  different  repre- 
sentations of  the  same  group  can  affect  the  complexity  of  performing  various 
computations,  and  So  choosing  the  ‘Vight”  representation  for  a given  group  is 
often  important  in  practice.  Since  our  goal  is  only  to  show  polynomial-time 
algorithms  for  each  of  the  operations  we  need  (and  not  to  show  the  most  ef- 
ficient algorithms  known),  the  exact  representation  used  is  less  important  for 
our  purposes.  Moreover,  most  of  the  “higher-level”  algorithms  we  present  use 
the  group  operation  in  a “black-box”  manner,  so  that  as  long  as  the  group 
operation  can  be  performed  in  polynomial  time  (in  some  parameter),  the  re- 
sulting algorithm  will  run  in  polynomial  time  as  well. 

Given  a group  G where  elements  are  represented  by  strings  of  length  £,  a 
random  group  element  can  be  selected  by  choosing  random  ^-bit  strings  until 
a group  element  is  found.  To  obtain  an  algorithm  with  bounded  running 
time,  we  introduce  a parameter  t bounding  the  maximum  mnnber  of  times 
this  process  is  repeated;  if  all  t iterations  fail  to  select  an  element  of  G,  then 
the  algorithm  outputs  fail.  (An  alternative  is  to  output  an  arbitrary  element 
of  G.)  That  is: 


ALGORITHM  B.14 
Choosing  a random  group  element 

Input:  A (description  of  a)  group  G;  length- parameter  £; 
parameter  t 

Output;  A random  element  of  G 
for  i = 1 to  t: 

X ^ {0, 1}^ 

if  X G G return  a; 
return  “fail”* 
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It  is  fairly  obvious  that  whenever  the  above  algorithm  does  not  output  fail, 
it  outputs  a uniformly- distributed  element  of  G.  This  is  simply  because  each 
element  of  G is  equally  likely  to  be  chosen  in  any  given  iteration.  Formally, 
if  we  let  Fail  denote  the  event  that  the  algorithm  outputs  fail,  then  for  any 
element  ^ G G we  have 

Pr  j^output  of  the  algorithm  equals  g \ Fail 

What  is  the  probability  that  the  algorithm  outputs  fail?  In  any  given  itera- 
tion the  probability  that  x G G is  exactly  |G|/2^,  and  so  the  probability  that 
X does  not  lie  in  G in  any  of  the  t.  iterations  is 


1 - 


(B.l) 


In  cryptographic  settings,  there  will  be  a security  parameter  n and  the 
group  G (as  well  as  £)  will  depend  on  n rather  than  being  fixed.  Formally,  we 
fix  some  class  C of  groups  (rather  than  a single  group),  associate  a value  n 
with  each  group  in  the  class,  and  ask  whether  it  is  possible  to  sample  a random 
element  from  a group  G G C in  time  polynomial  in  the  parameter  n assQciated 
with  G.  That  is,  we  ask  whether  it  is  possible  to  sample  a random  element  in 
polynomial  time  from  the  groups  in  the  class  C. 

(As  a technical  note,  the  class  also  specifies  a representation  for  each  group 
G in  the  class.  We  require  t = poly(n)  and  assume  that  all  groups  sharing  a 
particular  value  of  n have  the  same  length;^parameter.^  ==  £(n).^  : ; 

'As  am  example,  we  can;  consider  ttei  clais&  of  i^oups 
with  parameter  n = ||Ar||  associated  with  the  group  Z^v  in  this  class.  Then 
the  question  is  whether  it  is  possible  to  sample  a random  element  from  Zjv  in 
poly(||iV||)  time. 

There  is  a trade-off  between  the  running  time  of  Algorithm  B.14  and  the 
probability  that  the  algorithm  outputs  fail,  since  increasing  t decreases  the 
probability  of  failure  but  increases  the  worst-case  running  time.  For  crypto- 
graphic applications  we  need  an  algorithm  where  the  worst-c^e  running  time 
is  polynomial  in  n,  while  the  failure  probability  is  negligible  in  n.  To  achieve 
this,  two  conditions  must  hold  for  each  group  G>(witfr  parameter  n)  in  the 
class:  V,  ..V  ' 

1.  It  should  be  possible  to  determine  in  holy  (A)  tihie  whether  an  ^(n)-bit 
string  is  an  element  of  G or  not;  and 

2.  the  probability  that  a random  ^(n)-bit  sfring  is  an  element  of  G should 
be  at  least  l/poly(n). 

The  need  for  the  first  condition  is  obvious,  since  Algorithm  B.14  needs  to  check 
whether  x G G.  Say  the  second  condition  holds,  i.e;,  there  is  a polynomial 
such  that  for  every  group  G (in  the  given  class  C)  with  associated  parameter  n 
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and  length-parameter  £ = £{n),  the  probability  that  a random  ^(n)-bit  string  is 
an  element  of  G is  at  least  l/p{n).  Set  t{n)  — lp(n)  ■ n\.  Then  the  probability 
that  the  algorithm  outputs  fall  is  (cf.  Equation  (B.l)): 


1 - 


2‘J  -V'  p(n)) 


|'p(n)nl 
\ P(n)'  ^ 


< 


< 


1 - 


P{n)_ 


(e~r  = 
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using  Proposition  A.2  for  the  third  inequality.  We  thus  see  that  when  the 
second  condition  holds,  it  is  possible  to  obtain  an  algorithm  with  t = poly(n) 
and  failure  probability  negligible  in  n. 

We  stress  that  the  two  conditions  given  above  are  not  guaranteed  to  hold  for 
arbitrary  classes  of  groups.  Instead,  they  must  be  verified  for  each  particular 
class  of  interest. 


The  Case  of 

Consider  groups  of  the  form  Z^,  with  n =i  ||Ar||.  It  is  easy  to  verify  each 
of  the  conditions  outlined  previously.  Checking  whether  an  n-bit  string  x 
(interpreted  as  a positive  integer  of  length  at  most  n)  is  an  element  of  Z^v 
simply  requires  checking  whether  x < N,  which  can  clearly  be  done  in  poly(n) 
time.  Furthermore,  the  probability  that  a random  n-bit  string  lies  in  Ztv  is 

^ ^ 

2’’^  ~ '~2'^  ~ 2' 

For  concreteness,  we  show  the  algorithm  resulting  from  the  above: 


ALGORITHM  B.15 

Choosing  a random  element  of  Zn 

Input:  Modulus  N of  length  n 
Output:  A random  element  of  Zn 

for  i = 1 to  2n: 

X ^ {0, 1}- 

if  X < N return  x 
return  “fail” 


This  algorithm  runs  in  poly(n)  time,  and  outputs  fail  with  probability  negli- 
gible in  n.  , 
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The  Case  of 

Consider  next  groups  of  the  form  Z]|^,  with  n = ||A^||  as  before.  We  leave 
it  to  the  exercises  to  show  how  to  determine  whether  an  n-bit  string  x is  an 
element  of  Z^  or  not.  To  prove  the  second  condition,  we  need  to  show  that 
> l/poly(n).  Since 

0(7V)  N (f){N) 

2"  “2"  N ’ 

and  we  have  already  seen  that  ^ the  desired  bound  is  a consequence  of 
the  following  theorem. 


THEOREM  B.16  For  N > 3 of  length  n,  we  have  > l/2n. 


(Stronger  bounds  are  known,  but  the  above  suffices  for  our  purpose.)  We 
do  not  prove  the  theorem,  but  instead  content  ourselves  with  lower-bounding 
4>{N)/N  in  two  special  cases:  when  N is  prime  and  when  iV  is  a product  of 
two  close- to-equal- length  (distinct)  primes. 

The  analysis  is  easy  when  N is  an  odd  prime.  Here  4>{N)  — N — 1 and,  as 
when  we  analyzed  the  algorithm  for  choosing  a random  element  of  Z;v, 

0(iV)  _ N-1  ^ 2"-i  _ 1 
2"  ~~  2"  ~ 2"  ~ 2 ■ 

Consider  next  the  case  of  N = pq  for  p and  q distinct  primes  each  of  length 
roughly  n/2. 


PROPOSITION  B.17 

each  of  length  at  least  n/2. 


Let  N = pq  where  p and  q are  distinct  primes 
TTien  = 1 ■— negl(n). 


PROOF  We  have 

cf>{N)  _ {p-l){q-l) 
N pq 

The  proposition  follows. 


l_l_i  + J_>l_i_i>l_2. 2~( ' 

q p pq  q p 


■1) 


We  conclude  that  when  N is  prime  or  the  product  of  two  distinct  large 
primes,  there  exists  an  algorithm  for  generating  a random  element  of 
that  runs  in  time  polynomial  in  n = ||iV(|  and  outputs  fail  with  probability 
negligible  in  n. 

In  this  book,  we  simply  write  “x  *—  Zjv”  or  “a;  •«—  Z)(^”  to  denote  random 
selection  of  an  element  x from  Z;v  or  Z^  using,  e.g.,  one  of  the  algorithms  of 
this  section.  We  stress  that  we  will  simply  assume  that  x lies  in  the  desired 
range,  with  the  implicit  understanding  that  the  algorithm  for  choosing  x may 
output  f§il  with  negligible  probability. 
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B.3  * Finding  a Generator  of  a Cyclic  Group 

In  this  section  we  will  be  concerned  with  the  problem  of  finding  a generator 
of  an  arbitrary  cyclic  group  G of  order  q.  Here,  q does  not  necessarily  denote 
a prime  number;  indeed,  the  problem  of  finding  a generator  when  q is  prime 
is  rendered  trivial  by  Corollary  7.52. 

Our  approach  to  finding  a generator  will  be  to  find  a random  generator, 
proceeding  in  a manner  very  similar  to  that  of  Section  B.2.4.  Namely,  we 
will  repeatedly  sample  random  elements  of  G until  we  find  an  element  that 
is  a generator.  As  in  Section  B.2.4,  an  analysis  of  this  method  requires  an 
understanding  of  two  things: 

• How  to  efficiently  test  whether  a given  element  is  a generator;  and 

• the  fraction  of  group  elements  that  are  generators. 

In  order  to  understand  these  issues,  we  first  develop  a bit  of  additional  group- 
theoretic  background. 

B.3.1  Group-Theoretic  Background 

Recall  that  the  order  of  an  element  h is  the  smallest  positive  integer  i for 
which  = 1.  Let  p be  a generator  of  a group  G of  order  q > 1;  note  that 
this  means  the  order  of  ^ is  g.  Consider  any  element  h € G that  is  not  the 
identity  (the  identity  cannot  be  a generator  of  G),  and  let  us  ask  whether  this 
element  might  also  be  a generator  of  G.  Since  g generates  G,  we  can  write 
h = for  some  x G {l,...,g  — 1}  (note  a:  ^ 0 since  h is  not  the  identity). 
Consider  two  cases:  ' 

Case  1:  gcd(a:,  q)  = r > \.  Write  x = a ■ r and  q = P ■ r with  a,  /3  non-zero 
integers  less  than  q.  Then: 

= (5*/ = »“'■'’  = (sT  = 1- 

So  the  order  of  h is  at  most  P < 9,  and  h cannot  be  a generator  of  G. 

Case  2:  gcd(a:,g)  = 1.  Let  i <qhe  the  order  of  h.  Then 

gO  = 1 = V = (g»)‘  = 

implying  xi  — Q mod  q by  Proposition  7.50.  This  means  that  q | xi.  Since 
gcd(x,  q')  = 1,  however.  Proposition  7.3  shows  that  q\i  and  so  i = q.  We 
conclude  that  h is  & generator  of  G. 

Summarizing  the  above,  we  see  that  for  x 6 {l,...,g  — 1}  the  element 
h — g^  is  Si  generator  of  G exactly  when  gcd(a:,  g)  = 1.  We  have  seen  the  set 
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{xG  1}  I gcd(x, q)  = 1}  before  — it  is  exactly  Z*!  We  have  thus 

proved  the  following: 

THEOREM  B.18  Let  G be  a cyclic  group  of  order  q > 1 with  generator  g. 
Then  there  are  (j){q)  generators  ofG,  and  these  are  exactly  given  by  the  set 
{g^  \ xe  Z*}. 

In  particular,  if  G is  a group  of  prime  order  g,  then  it  has  (f){q)  = g — 1 
generators  exactly  in  agreement  with  Corollary  7.52. 

We  turn  next  to  the  question  of  determining  whether  a given  element  h 
is  a generator  of  G.  Of  course,  one  way  to  check  whether  h generates  G is 
to  simply  enumerate  {h^ ,h} , . . . , h^~^}  to  see  whether  this  list  includes  every 
element  of  G.  This  requires  time  linear  in  q (i.e.,  exponential  in  ||g||)  and 
is  therefore  unacceptable  for  our  purposes.  Another  approach,  if  we  already 
know  a generator  is  to  compute  the  discrete  logarithm  x = log^  h and  then 
apply  the  previous  theorem;  in  general,  however,  we  may  not  have  such  a p, 
and  anyway  computing  the  discrete  logarithm  may  itself  be  a hard  problem. 

If  we  know  the  factorization  of  g,  we  can  do  better. 


PROPOSITION  B.19-  Let  G be  a group  of  order  q,  and  let  q = Hf—i  pf* 
be  the  prime  factorization  of  q,  where  the  {p*}  are  distinct  primes  and  Si  > 1. 
Set  qi  = q/Pi-  Then  h ^ G is  a generator  ofG  if  and  only  if 

h^*  ^ 1 for  i = 1, . . . ,k. 

PROOF  One  direction  is  easy.  Say  /i^*  = 1 for  some  i.  T’hen'the  order  of 
h is  at  most  qi  < Q,  and  so  h cannot  be  a generator. 

Conversely,  say  h is  not  a generator  but  instead  has  order  q'  < q.  By 
Proposition  7.51,  we  know  q'  \ q.  This  implies  that  q'  can  be  written  as  q'  = 

where  e'  > 0 and  for  at  least  one  index  j we  have  < < Cj . But 
then  q'  divides  qj  = p^^~^  ■ Yli^j  pT  ^ (using  Proposition  7.50)  = 

h^^^  modq']  ^ ^0  ^ | 

The  proposition  does  not  require  G to  be  cyclic;  if  G is  not  cyclic  then  every 
element  h G G will  satisfy  = 1 for  some  i and  so  there  are  no  generators 
(as  must  be  the  case  if  G is  not  cyclic). 

B.3.2  Efficient  Algorithms 

We  now  show  how  to  efficiently  test  whether  a given  element  is  a generator, 
as  well  as  how  to  efficiently  find  a generator  in  an  arbitrary  group. 
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Testing  if  an  Element  is  a Generator 

Proposition  B.19  immediately  suggests  an  efficient  algorithm  for  deciding 
whether  a given  element  h is  a generator  or  not. 


ALGORITHM  B.20 

Testing  whether  an  element  is  a generator 

Input:  Group  order  q-,  prime  factors  of  g;  element  h E G 

Output:  A decision  as  to  whether  h is  a generator  of  G 

for  i = 1 to  k: 

if  = 1 return  “ h is  not  a generator” 
return  “h  is  a generator” 


Correctness  of  the  algorithm  is  evident  from  Proposition  B.19.  We  now 
show  that  the  algorithm  terminates  in  time  polynomial  in  ||^||.  Since,  in  each 
iteration,  can  be  computed  in  polynomial  time,  we  need  only  show  that 

the  number  of  iterations  k is  polynomial.  This  is  the  case  since  an  integer  q 
can  have  no  more  than  log2  q = d(||^H)  prime  factors;  this  is  true  because 

k k k 

i=l  i=l  i=l 


and  so  k < log2  q. 

Algorithm  B.20  requires  the  prime  factors  of  the  group  order  q to  be  pro- 
vided as  input.  Interestingly,  there  is  no  known  efficient  algorithm  for  testing 
whether  an  element  of  an  arbitrary  group  is  a generator  when  the  factors  of 
the  group  order  are  not  known. 


The  Fraction  of  Elements  that  are  Generators 

As  shown  in  Theorem  B.18,  the  fraction  of  elements  of  a group  G of  order  q 
that  are  generators  is  4>{q)/q.  Theorem  B.16  says  that  <f>iq)/q  = fi(I/||g||). 
The  fraction  of  elements  that  are  generators  is  thus  Sfrfficiently  high  to  ensure 
that  sampling  a polynomial  number  of  elements  from  the  group  will  yield  a 
generator  with  all  but  negligible  probability.  (The  analysis  is  the  same  as  in 
Section  B.2.4.) 

Concrete  Examples  in  Z* 

Putting  everything  together,  there  is  an  efficient  probabilistic  method  for 
finding  a generator  of  a group  G as  long  as  the  factorization  of  the  group 
order  is  known.  When  selecting  a group  for  cryptographic  applications,  it  is 
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therefore  important  that  the  group  is  chosen  in  such  a way  that  this  holds.  For 
groups  of  the  form  Z*,  with  p prime,  some  of  the  possibilities  are  as  follows: 

• As  we  have  already  discussed  fairly  extensively  in  Section  7.3.2,  working 
in  a prime  order  subgroup  of  Z*  has  the  effect  of,  among  other  things, 
eliminating  the  above  difficulties  that  arise  when  q is  not  prime.  Recall 
that  one  way  to  obtain  such  a subgroup  is  to  choose  p as  a strong  prime 
(i.e.,  so  that  p = 2g+  l with  q also  prime)  and  then  work  in  the  subgroup 
of  quadratic  residues  modulo  p (which  is  a subgroup  of  prime  order  q) . 
In  this  case,  all  elements  (apart  from  the  identity)  are  generators. 

• Alternately,  if  p is  a strong  prime  as  above  then  the  order  of  the  cyclic 
group  Zp  is  2q  and  so  the  factorization  of  the  group  order  is  known.  A 
generator  of  this  group  can  thus  be.  easily  found,  even  though  the  group 
does  not  have  prime  order. 

• Another  possibility  is  to  generate  a random  prime  p in  such  a way  that 
the  factorization  of  p — 1 is  known.  This  is  possible,  but  the  details  are 
beyond  the  scope  of  this  book. 


References  and  Additional  Reading 

The  book  by  Shoup  [131]  is  highly  recommended  for  those  seeking  to  explore 
the  topics  of  this  chapter  in  further  detail.  In  particular,  bounds  on  (f){N)/N 
(and  an  asymptotic  Version  of  Theorem  B.16)  can  be  found  in  [131,  Chapter  5]. 

A nice  result  by  Kalai  [82]  gives  an  easy  method  for  generating  randorn 
nmnbers  along  with  their  prime  factorization. 


Exercises 

B.l  Prove  correctness  of  the  extended  Euclidean  algorithm. 

B.2  Prove  that  the  extended  Euclidean  algorithm  runs  in  time  polynomial 
in  the  lengths  of  its  inputs. 

- Hint:  First  prove  a proposition  analogous  to  Proposition  B.8. 

B.3  Develop  an  iterative  algorithm  for  efficient  (i.e.,  polynomial-time)  com- 
putation of  [a^  mod  N].  (An  iterative  algorithm  does  not  make  recursive 
calls  to  itself.) 

Hint:  Use  auxiliary  variables  x (initialized  to  a)  and  t (initialized  to  1), 
and  maintain  the  invariant  t ■ mod  N.  The  algorithm  terminates 

when  X = \ and  t holds  the  final  result. 

B.4  Show  how  to  determine  that  an  n-bit  string  is  in  Z)(^  in  polynomial  time. 
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